START sbin/iked/live 2024-03-15T04:11:31Z ==== setup ==== echo "cd /tmp\nput /usr/src/regress/sbin/iked/live/pf.in pf.conf" | sftp -q ot3 sftp> cd /tmp sftp> put /usr/src/regress/sbin/iked/live/pf.in pf.conf echo "cd /tmp\nput /usr/src/regress/sbin/iked/live/pf.in pf.conf" | sftp -q ot4 sftp> cd /tmp sftp> put /usr/src/regress/sbin/iked/live/pf.in pf.conf ssh ot3 "pfctl -f /tmp/pf.conf; pfctl -e" pf enabled ssh ot4 "pfctl -f /tmp/pf.conf; pfctl -e" pf enabled caname=ca-both; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus .......................................................... ........................ e is 65537 (0x010001) caname=ca-right; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus ................................... ..................... e is 65537 (0x010001) caname=ca-none; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus .............................. ...................................................... e is 65537 (0x010001) caname=ca-none name=intermediate; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl genrsa -out $name-from-$caname.key 2048; openssl req -config $name-from-$caname.cnf -new -key $name-from-$caname.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions v3_intermediate_ca -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Generating RSA private key, 2048 bit long modulus ............................................................................................. .... e is 65537 (0x010001) Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=intermediate-from-ca-none openssl genrsa -out left.key 2048 Generating RSA private key, 2048 bit long modulus .............................................................................................................................. ......................................................... e is 65537 (0x010001) caname=ca-both; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both caname=ca-left; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus .............................................................. ............................................................... e is 65537 (0x010001) openssl genrsa -out right.key 2048 Generating RSA private key, 2048 bit long modulus .. ......................... e is 65537 (0x010001) caname=ca-both; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both caname=ca-left; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-left caname=ca-right; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-right caname=ca-none; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-none caname=ca-none; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-none caname=intermediate-from-ca-none; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-intermediate-from-ca-none caname=intermediate-from-ca-none; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-intermediate-from-ca-none echo "cd /etc/iked\n put left-from-ca-both.crt certs\n put left-from-ca-right.crt certs\n put left-from-ca-none.crt certs\n put left-from-intermediate-from-ca-none.crt certs\n put right-from-ca-none.crt certs\n put left.key private/local.key\n put intermediate-from-ca-none.crt ca\n put ca-left.crt ca\n put ca-both.crt ca\n" | sftp ot3 -q; echo "cd /etc/iked\n put right-from-ca-both.crt certs\n put right-from-ca-left.crt certs\n put right-from-ca-none.crt certs\n put right-from-intermediate-from-ca-none.crt certs\n put left-from-ca-none.crt certs\n put right.key private/local.key\n put intermediate-from-ca-none.crt ca\n put ca-right.crt ca\n put ca-both.crt ca\n" | sftp ot4 -q; ssh ot3 "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"; ssh ot4 "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub" Connected to ot3. sftp> cd /etc/iked sftp> put left-from-ca-both.crt certs Uploading left-from-ca-both.crt to /etc/iked/certs/left-from-ca-both.crt sftp> put left-from-ca-right.crt certs Uploading left-from-ca-right.crt to /etc/iked/certs/left-from-ca-right.crt sftp> put left-from-ca-none.crt certs Uploading left-from-ca-none.crt to /etc/iked/certs/left-from-ca-none.crt sftp> put left-from-intermediate-from-ca-none.crt certs Uploading left-from-intermediate-from-ca-none.crt to /etc/iked/certs/left-from-intermediate-from-ca-none.crt sftp> put right-from-ca-none.crt certs Uploading right-from-ca-none.crt to /etc/iked/certs/right-from-ca-none.crt sftp> put left.key private/local.key Uploading left.key to /etc/iked/private/local.key sftp> put intermediate-from-ca-none.crt ca Uploading intermediate-from-ca-none.crt to /etc/iked/ca/intermediate-from-ca-none.crt sftp> put ca-left.crt ca Uploading ca-left.crt to /etc/iked/ca/ca-left.crt sftp> put ca-both.crt ca Uploading ca-both.crt to /etc/iked/ca/ca-both.crt sftp> Connected to ot4. sftp> cd /etc/iked sftp> put right-from-ca-both.crt certs Uploading right-from-ca-both.crt to /etc/iked/certs/right-from-ca-both.crt sftp> put right-from-ca-left.crt certs Uploading right-from-ca-left.crt to /etc/iked/certs/right-from-ca-left.crt sftp> put right-from-ca-none.crt certs Uploading right-from-ca-none.crt to /etc/iked/certs/right-from-ca-none.crt sftp> put right-from-intermediate-from-ca-none.crt certs Uploading right-from-intermediate-from-ca-none.crt to /etc/iked/certs/right-from-intermediate-from-ca-none.crt sftp> put left-from-ca-none.crt certs Uploading left-from-ca-none.crt to /etc/iked/certs/left-from-ca-none.crt sftp> put right.key private/local.key Uploading right.key to /etc/iked/private/local.key sftp> put intermediate-from-ca-none.crt ca Uploading intermediate-from-ca-none.crt to /etc/iked/ca/intermediate-from-ca-none.crt sftp> put ca-right.crt ca Uploading ca-right.crt to /etc/iked/ca/ca-right.crt sftp> put ca-both.crt ca Uploading ca-both.crt to /etc/iked/ca/ca-both.crt sftp> writing RSA key writing RSA key ==== run-ping-fail ==== ssh ot3 "ipsecctl -F; pkill iked || true" ssh ot4 "ipsecctl -F; pkill iked || true" _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-cert-single-ca ==== leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca_$side.conf; echo "$global" >> run-cert-single-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca_$side.conf; echo "$global" >> run-cert-single-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca_$side.conf; chmod 0600 run-cert-single-ca_left.conf; echo "cd /tmp\nput run-cert-single-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-single-ca_right.conf; echo "cd /tmp\nput run-cert-single-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-single-ca_left.conf run-cert-single-ca_right.conf sftp> cd /tmp sftp> put run-cert-single-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-single-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:11:58.443925 (authentic,confidential): SPI 0x3a3b0bdf: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:11:58.444252 (authentic,confidential): SPI 0x9a049b92: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-single-ca-asn1dn ==== leftid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both"; rightid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both"; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "$global" >> run-cert-single-ca-asn1dn_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca-asn1dn_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "$global" >> run-cert-single-ca-asn1dn_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca-asn1dn_$side.conf; chmod 0600 run-cert-single-ca-asn1dn_left.conf; echo "cd /tmp\nput run-cert-single-ca-asn1dn_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-single-ca-asn1dn_right.conf; echo "cd /tmp\nput run-cert-single-ca-asn1dn_right.conf test.conf" | sftp -q ot4; rm -f run-cert-single-ca-asn1dn_left.conf run-cert-single-ca-asn1dn_right.conf sftp> cd /tmp sftp> put run-cert-single-ca-asn1dn_left.conf test.conf sftp> cd /tmp sftp> put run-cert-single-ca-asn1dn_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:12:09.464035 (authentic,confidential): SPI 0xa0f7debc: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:12:09.464308 (authentic,confidential): SPI 0x9fb45a2c: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-no-ca ==== leftid=left-from-ca-none; rightid=right-from-ca-none; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-no-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-no-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-no-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-no-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-no-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-no-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-no-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-no-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-no-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-no-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-no-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-no-ca_$side.conf; echo "$global" >> run-cert-no-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-no-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-no-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-no-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-no-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-no-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-no-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-no-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-no-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-no-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-no-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-no-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-no-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-no-ca_$side.conf; echo "$global" >> run-cert-no-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-no-ca_$side.conf; chmod 0600 run-cert-no-ca_left.conf; echo "cd /tmp\nput run-cert-no-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-no-ca_right.conf; echo "cd /tmp\nput run-cert-no-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-no-ca_left.conf run-cert-no-ca_right.conf sftp> cd /tmp sftp> put run-cert-no-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-no-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:12:20.504034 (authentic,confidential): SPI 0x7ecfa459: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:12:20.504298 (authentic,confidential): SPI 0x497c9b07: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-config-address ==== flowtype=esp; config_address=172.16.13.36; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address_$side.conf; echo "FROM=\"$from\"" >> run-config-address_$side.conf; echo "TO=\"$to\"" >> run-config-address_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address_$side.conf; echo "$global" >> run-config-address_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address_$side.conf; echo "FROM=\"$from\"" >> run-config-address_$side.conf; echo "TO=\"$to\"" >> run-config-address_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address_$side.conf; echo "$global" >> run-config-address_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address_$side.conf; chmod 0600 run-config-address_left.conf; echo "cd /tmp\nput run-config-address_left.conf test.conf" | sftp -q ot3; chmod 0600 run-config-address_right.conf; echo "cd /tmp\nput run-config-address_right.conf test.conf" | sftp -q ot4; rm -f run-config-address_left.conf run-config-address_right.conf sftp> cd /tmp sftp> put run-config-address_left.conf test.conf sftp> cd /tmp sftp> put run-config-address_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" config_address=172.16.13.36; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi ==== run-config-address-pool ==== flowtype=esp; config_address=172.16.13.36/31; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address-pool_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address-pool_$side.conf; echo "FROM=\"$from\"" >> run-config-address-pool_$side.conf; echo "TO=\"$to\"" >> run-config-address-pool_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address-pool_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address-pool_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address-pool_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address-pool_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address-pool_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address-pool_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address-pool_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address-pool_$side.conf; echo "$global" >> run-config-address-pool_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address-pool_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address-pool_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address-pool_$side.conf; echo "FROM=\"$from\"" >> run-config-address-pool_$side.conf; echo "TO=\"$to\"" >> run-config-address-pool_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address-pool_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address-pool_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address-pool_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address-pool_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address-pool_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address-pool_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address-pool_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address-pool_$side.conf; echo "$global" >> run-config-address-pool_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address-pool_$side.conf; chmod 0600 run-config-address-pool_left.conf; echo "cd /tmp\nput run-config-address-pool_left.conf test.conf" | sftp -q ot3; chmod 0600 run-config-address-pool_right.conf; echo "cd /tmp\nput run-config-address-pool_right.conf test.conf" | sftp -q ot4; rm -f run-config-address-pool_left.conf run-config-address-pool_right.conf sftp> cd /tmp sftp> put run-config-address-pool_left.conf test.conf sftp> cd /tmp sftp> put run-config-address-pool_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" config_address=172.16.13.36/31; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi ==== run-dstid-fail ==== leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-fail_$side.conf; echo "FROM=\"$from\"" >> run-dstid-fail_$side.conf; echo "TO=\"$to\"" >> run-dstid-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-fail_$side.conf; echo "$global" >> run-dstid-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-fail_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid invalid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-fail_$side.conf; echo "FROM=\"$from\"" >> run-dstid-fail_$side.conf; echo "TO=\"$to\"" >> run-dstid-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-fail_$side.conf; echo "$global" >> run-dstid-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-fail_$side.conf; chmod 0600 run-dstid-fail_left.conf; echo "cd /tmp\nput run-dstid-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid-fail_right.conf; echo "cd /tmp\nput run-dstid-fail_right.conf test.conf" | sftp -q ot4; rm -f run-dstid-fail_left.conf run-dstid-fail_right.conf sftp> cd /tmp sftp> put run-dstid-fail_left.conf test.conf sftp> cd /tmp sftp> put run-dstid-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-dstid ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid_$side.conf; echo "FROM=\"$from\"" >> run-dstid_$side.conf; echo "TO=\"$to\"" >> run-dstid_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid_$side.conf; echo "$global" >> run-dstid_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid_$side.conf; echo "FROM=\"$from\"" >> run-dstid_$side.conf; echo "TO=\"$to\"" >> run-dstid_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid_$side.conf; echo "$global" >> run-dstid_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid_$side.conf; chmod 0600 run-dstid_left.conf; echo "cd /tmp\nput run-dstid_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid_right.conf; echo "cd /tmp\nput run-dstid_right.conf test.conf" | sftp -q ot4; rm -f run-dstid_left.conf run-dstid_right.conf sftp> cd /tmp sftp> put run-dstid_left.conf test.conf sftp> cd /tmp sftp> put run-dstid_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:13:00.053917 (authentic,confidential): SPI 0x7631d4ca: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:13:00.054223 (authentic,confidential): SPI 0xe934408d: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-dstid-multi ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; dstid="dstid roflol"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; chmod 0600 run-dstid-multi_left.conf; echo "cd /tmp\nput run-dstid-multi_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid-multi_right.conf; echo "cd /tmp\nput run-dstid-multi_right.conf test.conf" | sftp -q ot4; rm -f run-dstid-multi_left.conf run-dstid-multi_right.conf sftp> cd /tmp sftp> put run-dstid-multi_left.conf test.conf sftp> cd /tmp sftp> put run-dstid-multi_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:13:11.073940 (authentic,confidential): SPI 0xe7513241: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:13:11.074246 (authentic,confidential): SPI 0x15b19506: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-srcid-multi ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; side=right; mode=passive; srcid="borked"; local=10.188.43.24; peer=10.188.43.23; dstid=""; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; srcid=$rightid; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; srcid="roflol"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; chmod 0600 run-srcid-multi_left.conf; echo "cd /tmp\nput run-srcid-multi_left.conf test.conf" | sftp -q ot3; chmod 0600 run-srcid-multi_right.conf; echo "cd /tmp\nput run-srcid-multi_right.conf test.conf" | sftp -q ot4; rm -f run-srcid-multi_left.conf run-srcid-multi_right.conf sftp> cd /tmp sftp> put run-srcid-multi_left.conf test.conf sftp> cd /tmp sftp> put run-srcid-multi_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:13:22.093962 (authentic,confidential): SPI 0x1ce6d61d: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:13:22.094265 (authentic,confidential): SPI 0xa263abe1: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-multi-ca ==== flowtype=esp; leftid=left-from-ca-right; rightid=right-from-ca-left; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-multi-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-multi-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-multi-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-multi-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-multi-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-multi-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-multi-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-multi-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-multi-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-multi-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-multi-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-multi-ca_$side.conf; echo "$global" >> run-cert-multi-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-multi-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-multi-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-multi-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-multi-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-multi-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-multi-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-multi-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-multi-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-multi-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-multi-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-multi-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-multi-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-multi-ca_$side.conf; echo "$global" >> run-cert-multi-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-multi-ca_$side.conf; chmod 0600 run-cert-multi-ca_left.conf; echo "cd /tmp\nput run-cert-multi-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-multi-ca_right.conf; echo "cd /tmp\nput run-cert-multi-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-multi-ca_left.conf run-cert-multi-ca_right.conf sftp> cd /tmp sftp> put run-cert-multi-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-multi-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:13:33.143916 (authentic,confidential): SPI 0x52a08595: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:13:33.144223 (authentic,confidential): SPI 0xedb9c93a: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-second-altname ==== flowtype=esp; leftid=left-from-ca-both-alternative; rightid=right-from-ca-both@openbsd.org; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-second-altname_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-second-altname_$side.conf; echo "FROM=\"$from\"" >> run-cert-second-altname_$side.conf; echo "TO=\"$to\"" >> run-cert-second-altname_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-second-altname_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-second-altname_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-second-altname_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-second-altname_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-second-altname_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-second-altname_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-second-altname_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-second-altname_$side.conf; echo "$global" >> run-cert-second-altname_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-second-altname_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-second-altname_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-second-altname_$side.conf; echo "FROM=\"$from\"" >> run-cert-second-altname_$side.conf; echo "TO=\"$to\"" >> run-cert-second-altname_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-second-altname_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-second-altname_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-second-altname_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-second-altname_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-second-altname_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-second-altname_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-second-altname_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-second-altname_$side.conf; echo "$global" >> run-cert-second-altname_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-second-altname_$side.conf; chmod 0600 run-cert-second-altname_left.conf; echo "cd /tmp\nput run-cert-second-altname_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-second-altname_right.conf; echo "cd /tmp\nput run-cert-second-altname_right.conf test.conf" | sftp -q ot4; rm -f run-cert-second-altname_left.conf run-cert-second-altname_right.conf sftp> cd /tmp sftp> put run-cert-second-altname_left.conf test.conf sftp> cd /tmp sftp> put run-cert-second-altname_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:13:44.183920 (authentic,confidential): SPI 0x05c45fc6: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:13:44.184224 (authentic,confidential): SPI 0xb3bc2283: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-invalid-ke ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; ikesa="ikesa group ecp256 group curve25519"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-invalid-ke_$side.conf; echo "TMODE=\"$tmode\"" >> run-invalid-ke_$side.conf; echo "FROM=\"$from\"" >> run-invalid-ke_$side.conf; echo "TO=\"$to\"" >> run-invalid-ke_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-invalid-ke_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-invalid-ke_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-invalid-ke_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-invalid-ke_$side.conf; echo "DSTID=\"$dstid\"" >> run-invalid-ke_$side.conf; echo "AUTH=\"$authstr\"" >> run-invalid-ke_$side.conf; echo "CONFIG=\"$confstr\"" >> run-invalid-ke_$side.conf; echo "IKESA=\"$ikesa\"" >> run-invalid-ke_$side.conf; echo "$global" >> run-invalid-ke_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-invalid-ke_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; ikesa="ikesa group curve25519"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-invalid-ke_$side.conf; echo "TMODE=\"$tmode\"" >> run-invalid-ke_$side.conf; echo "FROM=\"$from\"" >> run-invalid-ke_$side.conf; echo "TO=\"$to\"" >> run-invalid-ke_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-invalid-ke_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-invalid-ke_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-invalid-ke_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-invalid-ke_$side.conf; echo "DSTID=\"$dstid\"" >> run-invalid-ke_$side.conf; echo "AUTH=\"$authstr\"" >> run-invalid-ke_$side.conf; echo "CONFIG=\"$confstr\"" >> run-invalid-ke_$side.conf; echo "IKESA=\"$ikesa\"" >> run-invalid-ke_$side.conf; echo "$global" >> run-invalid-ke_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-invalid-ke_$side.conf; chmod 0600 run-invalid-ke_left.conf; echo "cd /tmp\nput run-invalid-ke_left.conf test.conf" | sftp -q ot3; chmod 0600 run-invalid-ke_right.conf; echo "cd /tmp\nput run-invalid-ke_right.conf test.conf" | sftp -q ot4; rm -f run-invalid-ke_left.conf run-invalid-ke_right.conf sftp> cd /tmp sftp> put run-invalid-ke_left.conf test.conf sftp> cd /tmp sftp> put run-invalid-ke_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; maxwait=6; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:13:56.764040 (authentic,confidential): SPI 0x3dfa4dff: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:13:56.764337 (authentic,confidential): SPI 0x79bb4130: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-psk-fail ==== auth=psk; leftid=left-from-ca-both; rightid=right-from-ca-both; flowtype=esp; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; psk=`openssl rand -hex 20`; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk-fail_$side.conf; echo "FROM=\"$from\"" >> run-psk-fail_$side.conf; echo "TO=\"$to\"" >> run-psk-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk-fail_$side.conf; echo "$global" >> run-psk-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk-fail_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; psk=`openssl rand -hex 20`; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk-fail_$side.conf; echo "FROM=\"$from\"" >> run-psk-fail_$side.conf; echo "TO=\"$to\"" >> run-psk-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk-fail_$side.conf; echo "$global" >> run-psk-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk-fail_$side.conf; chmod 0600 run-psk-fail_left.conf; echo "cd /tmp\nput run-psk-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-psk-fail_right.conf; echo "cd /tmp\nput run-psk-fail_right.conf test.conf" | sftp -q ot4; rm -f run-psk-fail_left.conf run-psk-fail_right.conf sftp> cd /tmp sftp> put run-psk-fail_left.conf test.conf sftp> cd /tmp sftp> put run-psk-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-psk ==== auth=psk; leftid=left; rightid=right; flowtype=esp; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk_$side.conf; echo "FROM=\"$from\"" >> run-psk_$side.conf; echo "TO=\"$to\"" >> run-psk_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk_$side.conf; echo "$global" >> run-psk_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk_$side.conf; echo "FROM=\"$from\"" >> run-psk_$side.conf; echo "TO=\"$to\"" >> run-psk_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk_$side.conf; echo "$global" >> run-psk_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk_$side.conf; chmod 0600 run-psk_left.conf; echo "cd /tmp\nput run-psk_left.conf test.conf" | sftp -q ot3; chmod 0600 run-psk_right.conf; echo "cd /tmp\nput run-psk_right.conf test.conf" | sftp -q ot4; rm -f run-psk_left.conf run-psk_right.conf sftp> cd /tmp sftp> put run-psk_left.conf test.conf sftp> cd /tmp sftp> put run-psk_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:14:24.004032 (authentic,confidential): SPI 0xdc9b62ca: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:14:24.004312 (authentic,confidential): SPI 0x31e4664e: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-intermediate-fail ==== leftid=left-from-intermediate-from-ca-none; rightid=right-from-intermediate-from-ca-none; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate-fail_$side.conf; echo "FROM=\"$from\"" >> run-intermediate-fail_$side.conf; echo "TO=\"$to\"" >> run-intermediate-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate-fail_$side.conf; echo "$global" >> run-intermediate-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate-fail_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate-fail_$side.conf; echo "FROM=\"$from\"" >> run-intermediate-fail_$side.conf; echo "TO=\"$to\"" >> run-intermediate-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate-fail_$side.conf; echo "$global" >> run-intermediate-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate-fail_$side.conf; chmod 0600 run-intermediate-fail_left.conf; echo "cd /tmp\nput run-intermediate-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-intermediate-fail_right.conf; echo "cd /tmp\nput run-intermediate-fail_right.conf test.conf" | sftp -q ot4; rm -f run-intermediate-fail_left.conf run-intermediate-fail_right.conf sftp> cd /tmp sftp> put run-intermediate-fail_left.conf test.conf sftp> cd /tmp sftp> put run-intermediate-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-intermediate ==== intermediate=true; leftid=left-from-intermediate-from-ca-none; rightid=right-from-intermediate-from-ca-none; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate_$side.conf; echo "FROM=\"$from\"" >> run-intermediate_$side.conf; echo "TO=\"$to\"" >> run-intermediate_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate_$side.conf; echo "$global" >> run-intermediate_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate_$side.conf; echo "FROM=\"$from\"" >> run-intermediate_$side.conf; echo "TO=\"$to\"" >> run-intermediate_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate_$side.conf; echo "$global" >> run-intermediate_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate_$side.conf; chmod 0600 run-intermediate_left.conf; echo "cd /tmp\nput run-intermediate_left.conf test.conf" | sftp -q ot3; chmod 0600 run-intermediate_right.conf; echo "cd /tmp\nput run-intermediate_right.conf test.conf" | sftp -q ot4; rm -f run-intermediate_left.conf run-intermediate_right.conf sftp> cd /tmp sftp> put run-intermediate_left.conf test.conf sftp> cd /tmp sftp> put run-intermediate_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC 05:14:48.083943 (authentic,confidential): SPI 0x8c83a8e9: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:14:48.084255 (authentic,confidential): SPI 0x4d885bdf: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-fragmentation ==== flowtype=esp; fragmentation=true; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-fragmentation_$side.conf; echo "TMODE=\"$tmode\"" >> run-fragmentation_$side.conf; echo "FROM=\"$from\"" >> run-fragmentation_$side.conf; echo "TO=\"$to\"" >> run-fragmentation_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-fragmentation_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-fragmentation_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-fragmentation_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-fragmentation_$side.conf; echo "DSTID=\"$dstid\"" >> run-fragmentation_$side.conf; echo "AUTH=\"$authstr\"" >> run-fragmentation_$side.conf; echo "CONFIG=\"$confstr\"" >> run-fragmentation_$side.conf; echo "IKESA=\"$ikesa\"" >> run-fragmentation_$side.conf; echo "$global" >> run-fragmentation_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-fragmentation_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-fragmentation_$side.conf; echo "TMODE=\"$tmode\"" >> run-fragmentation_$side.conf; echo "FROM=\"$from\"" >> run-fragmentation_$side.conf; echo "TO=\"$to\"" >> run-fragmentation_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-fragmentation_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-fragmentation_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-fragmentation_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-fragmentation_$side.conf; echo "DSTID=\"$dstid\"" >> run-fragmentation_$side.conf; echo "AUTH=\"$authstr\"" >> run-fragmentation_$side.conf; echo "CONFIG=\"$confstr\"" >> run-fragmentation_$side.conf; echo "IKESA=\"$ikesa\"" >> run-fragmentation_$side.conf; echo "$global" >> run-fragmentation_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-fragmentation_$side.conf; chmod 0600 run-fragmentation_left.conf; echo "cd /tmp\nput run-fragmentation_left.conf test.conf" | sftp -q ot3; chmod 0600 run-fragmentation_right.conf; echo "cd /tmp\nput run-fragmentation_right.conf test.conf" | sftp -q ot4; rm -f run-fragmentation_left.conf run-fragmentation_right.conf sftp> cd /tmp sftp> put run-fragmentation_left.conf test.conf sftp> cd /tmp sftp> put run-fragmentation_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:15:01.163981 (authentic,confidential): SPI 0x37f93432: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:15:01.164300 (authentic,confidential): SPI 0xf002bee5: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-transport ==== flowtype=esp; tmode=transport; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-transport_$side.conf; echo "TMODE=\"$tmode\"" >> run-transport_$side.conf; echo "FROM=\"$from\"" >> run-transport_$side.conf; echo "TO=\"$to\"" >> run-transport_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-transport_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-transport_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-transport_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-transport_$side.conf; echo "DSTID=\"$dstid\"" >> run-transport_$side.conf; echo "AUTH=\"$authstr\"" >> run-transport_$side.conf; echo "CONFIG=\"$confstr\"" >> run-transport_$side.conf; echo "IKESA=\"$ikesa\"" >> run-transport_$side.conf; echo "$global" >> run-transport_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-transport_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-transport_$side.conf; echo "TMODE=\"$tmode\"" >> run-transport_$side.conf; echo "FROM=\"$from\"" >> run-transport_$side.conf; echo "TO=\"$to\"" >> run-transport_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-transport_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-transport_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-transport_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-transport_$side.conf; echo "DSTID=\"$dstid\"" >> run-transport_$side.conf; echo "AUTH=\"$authstr\"" >> run-transport_$side.conf; echo "CONFIG=\"$confstr\"" >> run-transport_$side.conf; echo "IKESA=\"$ikesa\"" >> run-transport_$side.conf; echo "$global" >> run-transport_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-transport_$side.conf; chmod 0600 run-transport_left.conf; echo "cd /tmp\nput run-transport_left.conf test.conf" | sftp -q ot3; chmod 0600 run-transport_right.conf; echo "cd /tmp\nput run-transport_right.conf test.conf" | sftp -q ot4; rm -f run-transport_left.conf run-transport_right.conf sftp> cd /tmp sftp> put run-transport_left.conf test.conf sftp> cd /tmp sftp> put run-transport_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" tmode=transport; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:15:12.213915 (authentic,confidential): SPI 0x30a040f0: 10.188.43.23 > 10.188.43.24: icmp: echo request 05:15:12.214222 (authentic,confidential): SPI 0x180e93f5: 10.188.43.24 > 10.188.43.23: icmp: echo reply ==== run-singleikesa ==== flowtype=esp; singleikesa=true; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-singleikesa_$side.conf; echo "TMODE=\"$tmode\"" >> run-singleikesa_$side.conf; echo "FROM=\"$from\"" >> run-singleikesa_$side.conf; echo "TO=\"$to\"" >> run-singleikesa_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-singleikesa_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-singleikesa_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-singleikesa_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-singleikesa_$side.conf; echo "DSTID=\"$dstid\"" >> run-singleikesa_$side.conf; echo "AUTH=\"$authstr\"" >> run-singleikesa_$side.conf; echo "CONFIG=\"$confstr\"" >> run-singleikesa_$side.conf; echo "IKESA=\"$ikesa\"" >> run-singleikesa_$side.conf; echo "$global" >> run-singleikesa_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-singleikesa_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-singleikesa_$side.conf; echo "TMODE=\"$tmode\"" >> run-singleikesa_$side.conf; echo "FROM=\"$from\"" >> run-singleikesa_$side.conf; echo "TO=\"$to\"" >> run-singleikesa_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-singleikesa_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-singleikesa_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-singleikesa_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-singleikesa_$side.conf; echo "DSTID=\"$dstid\"" >> run-singleikesa_$side.conf; echo "AUTH=\"$authstr\"" >> run-singleikesa_$side.conf; echo "CONFIG=\"$confstr\"" >> run-singleikesa_$side.conf; echo "IKESA=\"$ikesa\"" >> run-singleikesa_$side.conf; echo "$global" >> run-singleikesa_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-singleikesa_$side.conf; chmod 0600 run-singleikesa_left.conf; echo "cd /tmp\nput run-singleikesa_left.conf test.conf" | sftp -q ot3; chmod 0600 run-singleikesa_right.conf; echo "cd /tmp\nput run-singleikesa_right.conf test.conf" | sftp -q ot4; rm -f run-singleikesa_left.conf run-singleikesa_right.conf sftp> cd /tmp sftp> put run-singleikesa_left.conf test.conf sftp> cd /tmp sftp> put run-singleikesa_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" sleep 1; ssh ot4 "ikectl reload"; sleep 3; count=`ssh ot3 "ikectl show sa | grep -c iked_sas"`; if [[ "$count" != "1" ]]; then echo "error: too many IKE SAs."; exit 1; fi ==== run-ipcomp ==== flowtype=ipcomp; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-ipcomp_$side.conf; echo "TMODE=\"$tmode\"" >> run-ipcomp_$side.conf; echo "FROM=\"$from\"" >> run-ipcomp_$side.conf; echo "TO=\"$to\"" >> run-ipcomp_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-ipcomp_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-ipcomp_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-ipcomp_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-ipcomp_$side.conf; echo "DSTID=\"$dstid\"" >> run-ipcomp_$side.conf; echo "AUTH=\"$authstr\"" >> run-ipcomp_$side.conf; echo "CONFIG=\"$confstr\"" >> run-ipcomp_$side.conf; echo "IKESA=\"$ikesa\"" >> run-ipcomp_$side.conf; echo "$global" >> run-ipcomp_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-ipcomp_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-ipcomp_$side.conf; echo "TMODE=\"$tmode\"" >> run-ipcomp_$side.conf; echo "FROM=\"$from\"" >> run-ipcomp_$side.conf; echo "TO=\"$to\"" >> run-ipcomp_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-ipcomp_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-ipcomp_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-ipcomp_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-ipcomp_$side.conf; echo "DSTID=\"$dstid\"" >> run-ipcomp_$side.conf; echo "AUTH=\"$authstr\"" >> run-ipcomp_$side.conf; echo "CONFIG=\"$confstr\"" >> run-ipcomp_$side.conf; echo "IKESA=\"$ikesa\"" >> run-ipcomp_$side.conf; echo "$global" >> run-ipcomp_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-ipcomp_$side.conf; chmod 0600 run-ipcomp_left.conf; echo "cd /tmp\nput run-ipcomp_left.conf test.conf" | sftp -q ot3; chmod 0600 run-ipcomp_right.conf; echo "cd /tmp\nput run-ipcomp_right.conf test.conf" | sftp -q ot4; rm -f run-ipcomp_left.conf run-ipcomp_right.conf sftp> cd /tmp sftp> put run-ipcomp_left.conf test.conf sftp> cd /tmp sftp> put run-ipcomp_right.conf test.conf sysctl="net.inet.ipcomp.enable=1"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl" net.inet.ipcomp.enable: 0 -> 1 net.inet.ipcomp.enable: 0 -> 1 ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=ipcomp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:15:33.494047 (authentic,confidential): SPI 0xd7686051: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:15:33.494311 (authentic,confidential): SPI 0x40a94d3c: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-udpencap-port ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-udpencap-port_$side.conf; echo "TMODE=\"$tmode\"" >> run-udpencap-port_$side.conf; echo "FROM=\"$from\"" >> run-udpencap-port_$side.conf; echo "TO=\"$to\"" >> run-udpencap-port_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-udpencap-port_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-udpencap-port_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-udpencap-port_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-udpencap-port_$side.conf; echo "DSTID=\"$dstid\"" >> run-udpencap-port_$side.conf; echo "AUTH=\"$authstr\"" >> run-udpencap-port_$side.conf; echo "CONFIG=\"$confstr\"" >> run-udpencap-port_$side.conf; echo "IKESA=\"$ikesa\"" >> run-udpencap-port_$side.conf; echo "$global" >> run-udpencap-port_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-udpencap-port_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-udpencap-port_$side.conf; echo "TMODE=\"$tmode\"" >> run-udpencap-port_$side.conf; echo "FROM=\"$from\"" >> run-udpencap-port_$side.conf; echo "TO=\"$to\"" >> run-udpencap-port_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-udpencap-port_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-udpencap-port_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-udpencap-port_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-udpencap-port_$side.conf; echo "DSTID=\"$dstid\"" >> run-udpencap-port_$side.conf; echo "AUTH=\"$authstr\"" >> run-udpencap-port_$side.conf; echo "CONFIG=\"$confstr\"" >> run-udpencap-port_$side.conf; echo "IKESA=\"$ikesa\"" >> run-udpencap-port_$side.conf; echo "$global" >> run-udpencap-port_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-udpencap-port_$side.conf; chmod 0600 run-udpencap-port_left.conf; echo "cd /tmp\nput run-udpencap-port_left.conf test.conf" | sftp -q ot3; chmod 0600 run-udpencap-port_right.conf; echo "cd /tmp\nput run-udpencap-port_right.conf test.conf" | sftp -q ot4; rm -f run-udpencap-port_left.conf run-udpencap-port_right.conf; sysctl="net.inet.esp.udpencap_port=9999"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl"; sftp> cd /tmp sftp> put run-udpencap-port_left.conf test.conf sftp> cd /tmp sftp> put run-udpencap-port_right.conf test.conf net.inet.esp.udpencap_port: 4500 -> 9999 net.inet.esp.udpencap_port: 4500 -> 9999 iked_flags=-p9999; ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:15:46.023916 (authentic,confidential): SPI 0xa6e64bbd: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:15:46.024211 (authentic,confidential): SPI 0x36de8491: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) sysctl="net.inet.esp.udpencap_port=4500"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl"; net.inet.esp.udpencap_port: 9999 -> 4500 net.inet.esp.udpencap_port: 9999 -> 4500 ==== cleanup ==== ssh ot3 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; sysctl "net.inet.esp.udpencap_port=4500"; rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;' net.inet.esp.udpencap_port: 4500 -> 4500 pf disabled ssh ot4 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; sysctl "net.inet.esp.udpencap_port=4500"; rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;' net.inet.esp.udpencap_port: 4500 -> 4500 pf disabled PASS sbin/iked/live Duration 4m21.05s