START sbin/iked/live 2021-04-08T02:48:56Z ==== setup ==== echo "cd /tmp\nput /usr/src/regress/sbin/iked/live/pf.in pf.conf" | sftp -q ot3 sftp> cd /tmp sftp> put /usr/src/regress/sbin/iked/live/pf.in pf.conf echo "cd /tmp\nput /usr/src/regress/sbin/iked/live/pf.in pf.conf" | sftp -q ot4 sftp> cd /tmp sftp> put /usr/src/regress/sbin/iked/live/pf.in pf.conf ssh ot3 "pfctl -f /tmp/pf.conf; pfctl -e" pf enabled ssh ot4 "pfctl -f /tmp/pf.conf; pfctl -e" pf enabled caname=ca-both; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus ............................................................................................+++++ ................................................................................................................................................+++++ e is 65537 (0x10001) caname=ca-right; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus ...........+++++ .......+++++ e is 65537 (0x10001) openssl genrsa -out left.key 2048 Generating RSA private key, 2048 bit long modulus ..........................................+++++ .........+++++ e is 65537 (0x10001) caname=ca-both; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both Getting CA Private Key caname=ca-left; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus ............+++++ ......+++++ e is 65537 (0x10001) openssl genrsa -out right.key 2048 Generating RSA private key, 2048 bit long modulus ......+++++ ..+++++ e is 65537 (0x10001) caname=ca-both; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both Getting CA Private Key caname=ca-left; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-left Getting CA Private Key caname=ca-right; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-right Getting CA Private Key echo "cd /etc/iked\n put left-from-ca-both.crt certs\n put left-from-ca-right.crt certs\n put left.key private/local.key\n put ca-left.crt ca\n put ca-both.crt ca\n" | sftp ot3 -q; echo "cd /etc/iked\n put right-from-ca-both.crt certs\n put right-from-ca-left.crt certs\n put right.key private/local.key\n put ca-right.crt ca\n put ca-both.crt ca\n" | sftp ot4 -q; ssh ot3 "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"; ssh ot4 "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub" Connected to ot3. sftp> cd /etc/iked sftp> put left-from-ca-both.crt certs Uploading left-from-ca-both.crt to /etc/iked/certs/left-from-ca-both.crt sftp> put left-from-ca-right.crt certs Uploading left-from-ca-right.crt to /etc/iked/certs/left-from-ca-right.crt sftp> put left.key private/local.key Uploading left.key to /etc/iked/private/local.key sftp> put ca-left.crt ca Uploading ca-left.crt to /etc/iked/ca/ca-left.crt sftp> put ca-both.crt ca Uploading ca-both.crt to /etc/iked/ca/ca-both.crt sftp> Connected to ot4. sftp> cd /etc/iked sftp> put right-from-ca-both.crt certs Uploading right-from-ca-both.crt to /etc/iked/certs/right-from-ca-both.crt sftp> put right-from-ca-left.crt certs Uploading right-from-ca-left.crt to /etc/iked/certs/right-from-ca-left.crt sftp> put right.key private/local.key Uploading right.key to /etc/iked/private/local.key sftp> put ca-right.crt ca Uploading ca-right.crt to /etc/iked/ca/ca-right.crt sftp> put ca-both.crt ca Uploading ca-both.crt to /etc/iked/ca/ca-both.crt sftp> writing RSA key writing RSA key ==== run-ping-fail ==== ssh ot3 "ipsecctl -F; pkill iked || true" ssh ot4 "ipsecctl -F; pkill iked || true" _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-cert-single-ca ==== leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca_$side.conf; echo "$global" >> run-cert-single-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca_$side.conf; echo "$global" >> run-cert-single-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca_$side.conf; chmod 0600 run-cert-single-ca_left.conf; echo "cd /tmp\nput run-cert-single-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-single-ca_right.conf; echo "cd /tmp\nput run-cert-single-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-single-ca_left.conf run-cert-single-ca_right.conf sftp> cd /tmp sftp> put run-cert-single-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-single-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 04:49:25.089964 (authentic,confidential): SPI 0x0c2b3b93: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 04:49:25.090526 (authentic,confidential): SPI 0x6f48faee: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-single-ca-asn1dn ==== leftid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both"; rightid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both"; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "$global" >> run-cert-single-ca-asn1dn_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca-asn1dn_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "$global" >> run-cert-single-ca-asn1dn_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca-asn1dn_$side.conf; chmod 0600 run-cert-single-ca-asn1dn_left.conf; echo "cd /tmp\nput run-cert-single-ca-asn1dn_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-single-ca-asn1dn_right.conf; echo "cd /tmp\nput run-cert-single-ca-asn1dn_right.conf test.conf" | sftp -q ot4; rm -f run-cert-single-ca-asn1dn_left.conf run-cert-single-ca-asn1dn_right.conf sftp> cd /tmp sftp> put run-cert-single-ca-asn1dn_left.conf test.conf sftp> cd /tmp sftp> put run-cert-single-ca-asn1dn_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 04:49:36.531331 (authentic,confidential): SPI 0x4bab6787: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 04:49:36.531868 (authentic,confidential): SPI 0x1d5c1afb: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-config-address ==== flowtype=esp; config_address=true; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-config-address_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address_$side.conf; echo "FROM=\"$from\"" >> run-config-address_$side.conf; echo "TO=\"$to\"" >> run-config-address_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address_$side.conf; echo "$global" >> run-config-address_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-config-address_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address_$side.conf; echo "FROM=\"$from\"" >> run-config-address_$side.conf; echo "TO=\"$to\"" >> run-config-address_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address_$side.conf; echo "$global" >> run-config-address_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address_$side.conf; chmod 0600 run-config-address_left.conf; echo "cd /tmp\nput run-config-address_left.conf test.conf" | sftp -q ot3; chmod 0600 run-config-address_right.conf; echo "cd /tmp\nput run-config-address_right.conf test.conf" | sftp -q ot4; rm -f run-config-address_left.conf run-config-address_right.conf sftp> cd /tmp sftp> put run-config-address_left.conf test.conf sftp> cd /tmp sftp> put run-config-address_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" config_address=true; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi ==== run-dstid-fail ==== leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-fail_$side.conf; echo "FROM=\"$from\"" >> run-dstid-fail_$side.conf; echo "TO=\"$to\"" >> run-dstid-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-fail_$side.conf; echo "$global" >> run-dstid-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-fail_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid invalid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-fail_$side.conf; echo "FROM=\"$from\"" >> run-dstid-fail_$side.conf; echo "TO=\"$to\"" >> run-dstid-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-fail_$side.conf; echo "$global" >> run-dstid-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-fail_$side.conf; chmod 0600 run-dstid-fail_left.conf; echo "cd /tmp\nput run-dstid-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid-fail_right.conf; echo "cd /tmp\nput run-dstid-fail_right.conf test.conf" | sftp -q ot4; rm -f run-dstid-fail_left.conf run-dstid-fail_right.conf sftp> cd /tmp sftp> put run-dstid-fail_left.conf test.conf sftp> cd /tmp sftp> put run-dstid-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-dstid ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-dstid_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid_$side.conf; echo "FROM=\"$from\"" >> run-dstid_$side.conf; echo "TO=\"$to\"" >> run-dstid_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid_$side.conf; echo "$global" >> run-dstid_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-dstid_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid_$side.conf; echo "FROM=\"$from\"" >> run-dstid_$side.conf; echo "TO=\"$to\"" >> run-dstid_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid_$side.conf; echo "$global" >> run-dstid_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid_$side.conf; chmod 0600 run-dstid_left.conf; echo "cd /tmp\nput run-dstid_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid_right.conf; echo "cd /tmp\nput run-dstid_right.conf test.conf" | sftp -q ot4; rm -f run-dstid_left.conf run-dstid_right.conf sftp> cd /tmp sftp> put run-dstid_left.conf test.conf sftp> cd /tmp sftp> put run-dstid_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 04:50:10.915369 (authentic,confidential): SPI 0xf76d5cfd: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 04:50:10.915841 (authentic,confidential): SPI 0xcb4179bd: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-dstid-multi ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; dstid="dstid roflol"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; chmod 0600 run-dstid-multi_left.conf; echo "cd /tmp\nput run-dstid-multi_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid-multi_right.conf; echo "cd /tmp\nput run-dstid-multi_right.conf test.conf" | sftp -q ot4; rm -f run-dstid-multi_left.conf run-dstid-multi_right.conf sftp> cd /tmp sftp> put run-dstid-multi_left.conf test.conf sftp> cd /tmp sftp> put run-dstid-multi_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 04:50:22.276715 (authentic,confidential): SPI 0x327c39c8: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 04:50:22.277227 (authentic,confidential): SPI 0x882b1ddf: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-multi-ca ==== flowtype=esp; leftid=left-from-ca-right; rightid=right-from-ca-left; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-cert-multi-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-multi-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-multi-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-multi-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-multi-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-multi-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-multi-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-multi-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-multi-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-multi-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-multi-ca_$side.conf; echo "$global" >> run-cert-multi-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-multi-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-cert-multi-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-multi-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-multi-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-multi-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-multi-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-multi-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-multi-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-multi-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-multi-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-multi-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-multi-ca_$side.conf; echo "$global" >> run-cert-multi-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-multi-ca_$side.conf; chmod 0600 run-cert-multi-ca_left.conf; echo "cd /tmp\nput run-cert-multi-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-multi-ca_right.conf; echo "cd /tmp\nput run-cert-multi-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-multi-ca_left.conf run-cert-multi-ca_right.conf sftp> cd /tmp sftp> put run-cert-multi-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-multi-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 04:50:33.618047 (authentic,confidential): SPI 0x7d8ec129: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 04:50:33.618625 (authentic,confidential): SPI 0x4f3dd254: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-second-altname ==== flowtype=esp; leftid=left-from-ca-both-alternative; rightid=right-from-ca-both@openbsd.org; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-cert-second-altname_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-second-altname_$side.conf; echo "FROM=\"$from\"" >> run-cert-second-altname_$side.conf; echo "TO=\"$to\"" >> run-cert-second-altname_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-second-altname_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-second-altname_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-second-altname_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-second-altname_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-second-altname_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-second-altname_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-second-altname_$side.conf; echo "$global" >> run-cert-second-altname_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-second-altname_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-cert-second-altname_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-second-altname_$side.conf; echo "FROM=\"$from\"" >> run-cert-second-altname_$side.conf; echo "TO=\"$to\"" >> run-cert-second-altname_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-second-altname_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-second-altname_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-second-altname_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-second-altname_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-second-altname_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-second-altname_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-second-altname_$side.conf; echo "$global" >> run-cert-second-altname_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-second-altname_$side.conf; chmod 0600 run-cert-second-altname_left.conf; echo "cd /tmp\nput run-cert-second-altname_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-second-altname_right.conf; echo "cd /tmp\nput run-cert-second-altname_right.conf test.conf" | sftp -q ot4; rm -f run-cert-second-altname_left.conf run-cert-second-altname_right.conf sftp> cd /tmp sftp> put run-cert-second-altname_left.conf test.conf sftp> cd /tmp sftp> put run-cert-second-altname_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 04:50:44.959377 (authentic,confidential): SPI 0xde2ebba1: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 04:50:44.959902 (authentic,confidential): SPI 0xce65a614: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-psk-fail ==== auth=psk; leftid=left-from-ca-both; rightid=right-from-ca-both; flowtype=esp; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; psk=`openssl rand -hex 20`; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-psk-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk-fail_$side.conf; echo "FROM=\"$from\"" >> run-psk-fail_$side.conf; echo "TO=\"$to\"" >> run-psk-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk-fail_$side.conf; echo "$global" >> run-psk-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk-fail_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; psk=`openssl rand -hex 20`; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-psk-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk-fail_$side.conf; echo "FROM=\"$from\"" >> run-psk-fail_$side.conf; echo "TO=\"$to\"" >> run-psk-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk-fail_$side.conf; echo "$global" >> run-psk-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk-fail_$side.conf; chmod 0600 run-psk-fail_left.conf; echo "cd /tmp\nput run-psk-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-psk-fail_right.conf; echo "cd /tmp\nput run-psk-fail_right.conf test.conf" | sftp -q ot4; rm -f run-psk-fail_left.conf run-psk-fail_right.conf sftp> cd /tmp sftp> put run-psk-fail_left.conf test.conf sftp> cd /tmp sftp> put run-psk-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-psk ==== auth=psk; leftid=left; rightid=right; flowtype=esp; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-psk_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk_$side.conf; echo "FROM=\"$from\"" >> run-psk_$side.conf; echo "TO=\"$to\"" >> run-psk_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk_$side.conf; echo "$global" >> run-psk_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-psk_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk_$side.conf; echo "FROM=\"$from\"" >> run-psk_$side.conf; echo "TO=\"$to\"" >> run-psk_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk_$side.conf; echo "$global" >> run-psk_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk_$side.conf; chmod 0600 run-psk_left.conf; echo "cd /tmp\nput run-psk_left.conf test.conf" | sftp -q ot3; chmod 0600 run-psk_right.conf; echo "cd /tmp\nput run-psk_right.conf test.conf" | sftp -q ot4; rm -f run-psk_left.conf run-psk_right.conf sftp> cd /tmp sftp> put run-psk_left.conf test.conf sftp> cd /tmp sftp> put run-psk_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 04:51:12.822647 (authentic,confidential): SPI 0x69c56666: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 04:51:12.823130 (authentic,confidential): SPI 0x6a2b450d: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-fragmentation ==== flowtype=esp; fragmentation=true; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-fragmentation_$side.conf; echo "TMODE=\"$tmode\"" >> run-fragmentation_$side.conf; echo "FROM=\"$from\"" >> run-fragmentation_$side.conf; echo "TO=\"$to\"" >> run-fragmentation_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-fragmentation_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-fragmentation_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-fragmentation_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-fragmentation_$side.conf; echo "DSTID=\"$dstid\"" >> run-fragmentation_$side.conf; echo "AUTH=\"$authstr\"" >> run-fragmentation_$side.conf; echo "CONFIG=\"$confstr\"" >> run-fragmentation_$side.conf; echo "$global" >> run-fragmentation_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-fragmentation_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-fragmentation_$side.conf; echo "TMODE=\"$tmode\"" >> run-fragmentation_$side.conf; echo "FROM=\"$from\"" >> run-fragmentation_$side.conf; echo "TO=\"$to\"" >> run-fragmentation_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-fragmentation_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-fragmentation_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-fragmentation_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-fragmentation_$side.conf; echo "DSTID=\"$dstid\"" >> run-fragmentation_$side.conf; echo "AUTH=\"$authstr\"" >> run-fragmentation_$side.conf; echo "CONFIG=\"$confstr\"" >> run-fragmentation_$side.conf; echo "$global" >> run-fragmentation_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-fragmentation_$side.conf; chmod 0600 run-fragmentation_left.conf; echo "cd /tmp\nput run-fragmentation_left.conf test.conf" | sftp -q ot3; chmod 0600 run-fragmentation_right.conf; echo "cd /tmp\nput run-fragmentation_right.conf test.conf" | sftp -q ot4; rm -f run-fragmentation_left.conf run-fragmentation_right.conf sftp> cd /tmp sftp> put run-fragmentation_left.conf test.conf sftp> cd /tmp sftp> put run-fragmentation_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 04:51:24.203980 (authentic,confidential): SPI 0x60353986: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 04:51:24.204502 (authentic,confidential): SPI 0x903a3154: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-transport ==== flowtype=esp; tmode=transport; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-transport_$side.conf; echo "TMODE=\"$tmode\"" >> run-transport_$side.conf; echo "FROM=\"$from\"" >> run-transport_$side.conf; echo "TO=\"$to\"" >> run-transport_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-transport_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-transport_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-transport_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-transport_$side.conf; echo "DSTID=\"$dstid\"" >> run-transport_$side.conf; echo "AUTH=\"$authstr\"" >> run-transport_$side.conf; echo "CONFIG=\"$confstr\"" >> run-transport_$side.conf; echo "$global" >> run-transport_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-transport_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-transport_$side.conf; echo "TMODE=\"$tmode\"" >> run-transport_$side.conf; echo "FROM=\"$from\"" >> run-transport_$side.conf; echo "TO=\"$to\"" >> run-transport_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-transport_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-transport_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-transport_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-transport_$side.conf; echo "DSTID=\"$dstid\"" >> run-transport_$side.conf; echo "AUTH=\"$authstr\"" >> run-transport_$side.conf; echo "CONFIG=\"$confstr\"" >> run-transport_$side.conf; echo "$global" >> run-transport_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-transport_$side.conf; chmod 0600 run-transport_left.conf; echo "cd /tmp\nput run-transport_left.conf test.conf" | sftp -q ot3; chmod 0600 run-transport_right.conf; echo "cd /tmp\nput run-transport_right.conf test.conf" | sftp -q ot4; rm -f run-transport_left.conf run-transport_right.conf sftp> cd /tmp sftp> put run-transport_left.conf test.conf sftp> cd /tmp sftp> put run-transport_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" tmode=transport; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 04:51:35.625330 (authentic,confidential): SPI 0x1b971197: 10.188.43.23 > 10.188.43.24: icmp: echo request 04:51:35.625852 (authentic,confidential): SPI 0x11a21fbc: 10.188.43.24 > 10.188.43.23: icmp: echo reply ==== run-singleikesa ==== flowtype=esp; singleikesa=true; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-singleikesa_$side.conf; echo "TMODE=\"$tmode\"" >> run-singleikesa_$side.conf; echo "FROM=\"$from\"" >> run-singleikesa_$side.conf; echo "TO=\"$to\"" >> run-singleikesa_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-singleikesa_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-singleikesa_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-singleikesa_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-singleikesa_$side.conf; echo "DSTID=\"$dstid\"" >> run-singleikesa_$side.conf; echo "AUTH=\"$authstr\"" >> run-singleikesa_$side.conf; echo "CONFIG=\"$confstr\"" >> run-singleikesa_$side.conf; echo "$global" >> run-singleikesa_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-singleikesa_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-singleikesa_$side.conf; echo "TMODE=\"$tmode\"" >> run-singleikesa_$side.conf; echo "FROM=\"$from\"" >> run-singleikesa_$side.conf; echo "TO=\"$to\"" >> run-singleikesa_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-singleikesa_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-singleikesa_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-singleikesa_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-singleikesa_$side.conf; echo "DSTID=\"$dstid\"" >> run-singleikesa_$side.conf; echo "AUTH=\"$authstr\"" >> run-singleikesa_$side.conf; echo "CONFIG=\"$confstr\"" >> run-singleikesa_$side.conf; echo "$global" >> run-singleikesa_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-singleikesa_$side.conf; chmod 0600 run-singleikesa_left.conf; echo "cd /tmp\nput run-singleikesa_left.conf test.conf" | sftp -q ot3; chmod 0600 run-singleikesa_right.conf; echo "cd /tmp\nput run-singleikesa_right.conf test.conf" | sftp -q ot4; rm -f run-singleikesa_left.conf run-singleikesa_right.conf sftp> cd /tmp sftp> put run-singleikesa_left.conf test.conf sftp> cd /tmp sftp> put run-singleikesa_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" sleep 1; ssh ot4 "ikectl reload"; sleep 3; count=`ssh ot3 "ikectl show sa | grep -c iked_sas"`; if [[ "$count" != "1" ]]; then echo "error: too many IKE SAs."; exit 1; fi ==== run-ipcomp ==== flowtype=ipcomp; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-ipcomp_$side.conf; echo "TMODE=\"$tmode\"" >> run-ipcomp_$side.conf; echo "FROM=\"$from\"" >> run-ipcomp_$side.conf; echo "TO=\"$to\"" >> run-ipcomp_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-ipcomp_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-ipcomp_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-ipcomp_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-ipcomp_$side.conf; echo "DSTID=\"$dstid\"" >> run-ipcomp_$side.conf; echo "AUTH=\"$authstr\"" >> run-ipcomp_$side.conf; echo "CONFIG=\"$confstr\"" >> run-ipcomp_$side.conf; echo "$global" >> run-ipcomp_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-ipcomp_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-ipcomp_$side.conf; echo "TMODE=\"$tmode\"" >> run-ipcomp_$side.conf; echo "FROM=\"$from\"" >> run-ipcomp_$side.conf; echo "TO=\"$to\"" >> run-ipcomp_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-ipcomp_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-ipcomp_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-ipcomp_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-ipcomp_$side.conf; echo "DSTID=\"$dstid\"" >> run-ipcomp_$side.conf; echo "AUTH=\"$authstr\"" >> run-ipcomp_$side.conf; echo "CONFIG=\"$confstr\"" >> run-ipcomp_$side.conf; echo "$global" >> run-ipcomp_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-ipcomp_$side.conf; chmod 0600 run-ipcomp_left.conf; echo "cd /tmp\nput run-ipcomp_left.conf test.conf" | sftp -q ot3; chmod 0600 run-ipcomp_right.conf; echo "cd /tmp\nput run-ipcomp_right.conf test.conf" | sftp -q ot4; rm -f run-ipcomp_left.conf run-ipcomp_right.conf sftp> cd /tmp sftp> put run-ipcomp_left.conf test.conf sftp> cd /tmp sftp> put run-ipcomp_right.conf test.conf sysctl="net.inet.ipcomp.enable=1"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl" net.inet.ipcomp.enable: 0 -> 1 net.inet.ipcomp.enable: 0 -> 1 ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=ipcomp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 04:51:57.517908 (authentic,confidential): SPI 0xb8ef4427: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 04:51:57.518491 (authentic,confidential): SPI 0x5dc4f15d: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-udpencap-port ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-udpencap-port_$side.conf; echo "TMODE=\"$tmode\"" >> run-udpencap-port_$side.conf; echo "FROM=\"$from\"" >> run-udpencap-port_$side.conf; echo "TO=\"$to\"" >> run-udpencap-port_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-udpencap-port_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-udpencap-port_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-udpencap-port_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-udpencap-port_$side.conf; echo "DSTID=\"$dstid\"" >> run-udpencap-port_$side.conf; echo "AUTH=\"$authstr\"" >> run-udpencap-port_$side.conf; echo "CONFIG=\"$confstr\"" >> run-udpencap-port_$side.conf; echo "$global" >> run-udpencap-port_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-udpencap-port_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; confstr=""; if [ "$config_address" = true ]; then if [ "$side" = left ]; then mode=passive; confstr="config address 172.16.13.36/31"; to="dynamic"; else mode=active; confstr="request address any"; from="dynamic"; fi; fi; echo "MODE=\"$mode\"" >> run-udpencap-port_$side.conf; echo "TMODE=\"$tmode\"" >> run-udpencap-port_$side.conf; echo "FROM=\"$from\"" >> run-udpencap-port_$side.conf; echo "TO=\"$to\"" >> run-udpencap-port_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-udpencap-port_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-udpencap-port_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-udpencap-port_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-udpencap-port_$side.conf; echo "DSTID=\"$dstid\"" >> run-udpencap-port_$side.conf; echo "AUTH=\"$authstr\"" >> run-udpencap-port_$side.conf; echo "CONFIG=\"$confstr\"" >> run-udpencap-port_$side.conf; echo "$global" >> run-udpencap-port_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-udpencap-port_$side.conf; chmod 0600 run-udpencap-port_left.conf; echo "cd /tmp\nput run-udpencap-port_left.conf test.conf" | sftp -q ot3; chmod 0600 run-udpencap-port_right.conf; echo "cd /tmp\nput run-udpencap-port_right.conf test.conf" | sftp -q ot4; rm -f run-udpencap-port_left.conf run-udpencap-port_right.conf; sysctl="net.inet.esp.udpencap_port=9999"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl"; sftp> cd /tmp sftp> put run-udpencap-port_left.conf test.conf sftp> cd /tmp sftp> put run-udpencap-port_right.conf test.conf net.inet.esp.udpencap_port: 4500 -> 9999 net.inet.esp.udpencap_port: 4500 -> 9999 iked_flags=-p9999; ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ "$config_address" = true ]; then dynamic="172.16.13.37"; fi; while [[ $count -le 3 ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 04:52:10.479450 (authentic,confidential): SPI 0x7c45cd8c: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 04:52:10.479930 (authentic,confidential): SPI 0x2507d979: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) sysctl="net.inet.esp.udpencap_port=4500"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl"; net.inet.esp.udpencap_port: 9999 -> 4500 net.inet.esp.udpencap_port: 9999 -> 4500 ==== cleanup ==== ssh ot3 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; sysctl "net.inet.esp.udpencap_port=4500"; rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;' net.inet.esp.udpencap_port: 4500 -> 4500 pf disabled ssh ot4 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; sysctl "net.inet.esp.udpencap_port=4500"; rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;' net.inet.esp.udpencap_port: 4500 -> 4500 pf disabled PASS sbin/iked/live Duration 3m19.88s