START sbin/iked/live 2024-04-15T15:33:46Z ==== setup ==== echo "cd /tmp\nput /usr/src/regress/sbin/iked/live/pf.in pf.conf" | sftp -q ot3 sftp> cd /tmp sftp> put /usr/src/regress/sbin/iked/live/pf.in pf.conf echo "cd /tmp\nput /usr/src/regress/sbin/iked/live/pf.in pf.conf" | sftp -q ot4 sftp> cd /tmp sftp> put /usr/src/regress/sbin/iked/live/pf.in pf.conf ssh ot3 "pfctl -f /tmp/pf.conf; pfctl -e" pf enabled ssh ot4 "pfctl -f /tmp/pf.conf; pfctl -e" pf enabled caname=ca-both; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus ..................... .............................................................. e is 65537 (0x010001) caname=ca-right; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus ........................................................................ ......... e is 65537 (0x010001) caname=ca-none; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus ........ ..................... e is 65537 (0x010001) caname=ca-none name=intermediate; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl genrsa -out $name-from-$caname.key 2048; openssl req -config $name-from-$caname.cnf -new -key $name-from-$caname.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions v3_intermediate_ca -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Generating RSA private key, 2048 bit long modulus .. .................................. e is 65537 (0x010001) Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=intermediate-from-ca-none openssl genrsa -out left.key 2048 Generating RSA private key, 2048 bit long modulus ........... ............... e is 65537 (0x010001) caname=ca-both; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both caname=ca-left; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus .................... ................. e is 65537 (0x010001) openssl genrsa -out right.key 2048 Generating RSA private key, 2048 bit long modulus ................................................................................... .................................................................................................. e is 65537 (0x010001) caname=ca-both; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both caname=ca-left; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-left caname=ca-right; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-right caname=ca-none; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-none caname=ca-none; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-none caname=intermediate-from-ca-none; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-intermediate-from-ca-none caname=intermediate-from-ca-none; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-intermediate-from-ca-none echo "cd /etc/iked\n put left-from-ca-both.crt certs\n put left-from-ca-right.crt certs\n put left-from-ca-none.crt certs\n put left-from-intermediate-from-ca-none.crt certs\n put right-from-ca-none.crt certs\n put left.key private/local.key\n put intermediate-from-ca-none.crt ca\n put ca-left.crt ca\n put ca-both.crt ca\n" | sftp ot3 -q; echo "cd /etc/iked\n put right-from-ca-both.crt certs\n put right-from-ca-left.crt certs\n put right-from-ca-none.crt certs\n put right-from-intermediate-from-ca-none.crt certs\n put left-from-ca-none.crt certs\n put right.key private/local.key\n put intermediate-from-ca-none.crt ca\n put ca-right.crt ca\n put ca-both.crt ca\n" | sftp ot4 -q; ssh ot3 "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"; ssh ot4 "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub" Connected to ot3. sftp> cd /etc/iked sftp> put left-from-ca-both.crt certs Uploading left-from-ca-both.crt to /etc/iked/certs/left-from-ca-both.crt sftp> put left-from-ca-right.crt certs Uploading left-from-ca-right.crt to /etc/iked/certs/left-from-ca-right.crt sftp> put left-from-ca-none.crt certs Uploading left-from-ca-none.crt to /etc/iked/certs/left-from-ca-none.crt sftp> put left-from-intermediate-from-ca-none.crt certs Uploading left-from-intermediate-from-ca-none.crt to /etc/iked/certs/left-from-intermediate-from-ca-none.crt sftp> put right-from-ca-none.crt certs Uploading right-from-ca-none.crt to /etc/iked/certs/right-from-ca-none.crt sftp> put left.key private/local.key Uploading left.key to /etc/iked/private/local.key sftp> put intermediate-from-ca-none.crt ca Uploading intermediate-from-ca-none.crt to /etc/iked/ca/intermediate-from-ca-none.crt sftp> put ca-left.crt ca Uploading ca-left.crt to /etc/iked/ca/ca-left.crt sftp> put ca-both.crt ca Uploading ca-both.crt to /etc/iked/ca/ca-both.crt sftp> Connected to ot4. sftp> cd /etc/iked sftp> put right-from-ca-both.crt certs Uploading right-from-ca-both.crt to /etc/iked/certs/right-from-ca-both.crt sftp> put right-from-ca-left.crt certs Uploading right-from-ca-left.crt to /etc/iked/certs/right-from-ca-left.crt sftp> put right-from-ca-none.crt certs Uploading right-from-ca-none.crt to /etc/iked/certs/right-from-ca-none.crt sftp> put right-from-intermediate-from-ca-none.crt certs Uploading right-from-intermediate-from-ca-none.crt to /etc/iked/certs/right-from-intermediate-from-ca-none.crt sftp> put left-from-ca-none.crt certs Uploading left-from-ca-none.crt to /etc/iked/certs/left-from-ca-none.crt sftp> put right.key private/local.key Uploading right.key to /etc/iked/private/local.key sftp> put intermediate-from-ca-none.crt ca Uploading intermediate-from-ca-none.crt to /etc/iked/ca/intermediate-from-ca-none.crt sftp> put ca-right.crt ca Uploading ca-right.crt to /etc/iked/ca/ca-right.crt sftp> put ca-both.crt ca Uploading ca-both.crt to /etc/iked/ca/ca-both.crt sftp> writing RSA key writing RSA key ==== run-ping-fail ==== ssh ot3 "ipsecctl -F; pkill iked || true" ssh ot4 "ipsecctl -F; pkill iked || true" _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-cert-single-ca ==== leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca_$side.conf; echo "$global" >> run-cert-single-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca_$side.conf; echo "$global" >> run-cert-single-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca_$side.conf; chmod 0600 run-cert-single-ca_left.conf; echo "cd /tmp\nput run-cert-single-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-single-ca_right.conf; echo "cd /tmp\nput run-cert-single-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-single-ca_left.conf run-cert-single-ca_right.conf sftp> cd /tmp sftp> put run-cert-single-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-single-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:34:17.323896 (authentic,confidential): SPI 0xc8baf162: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:34:17.324255 (authentic,confidential): SPI 0xc07357b1: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-single-ca-asn1dn ==== leftid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both"; rightid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both"; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "$global" >> run-cert-single-ca-asn1dn_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca-asn1dn_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "$global" >> run-cert-single-ca-asn1dn_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca-asn1dn_$side.conf; chmod 0600 run-cert-single-ca-asn1dn_left.conf; echo "cd /tmp\nput run-cert-single-ca-asn1dn_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-single-ca-asn1dn_right.conf; echo "cd /tmp\nput run-cert-single-ca-asn1dn_right.conf test.conf" | sftp -q ot4; rm -f run-cert-single-ca-asn1dn_left.conf run-cert-single-ca-asn1dn_right.conf sftp> cd /tmp sftp> put run-cert-single-ca-asn1dn_left.conf test.conf sftp> cd /tmp sftp> put run-cert-single-ca-asn1dn_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:34:28.553964 (authentic,confidential): SPI 0x5f94fd9a: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:34:28.554286 (authentic,confidential): SPI 0x367db2c6: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-no-ca ==== leftid=left-from-ca-none; rightid=right-from-ca-none; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-no-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-no-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-no-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-no-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-no-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-no-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-no-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-no-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-no-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-no-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-no-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-no-ca_$side.conf; echo "$global" >> run-cert-no-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-no-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-no-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-no-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-no-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-no-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-no-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-no-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-no-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-no-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-no-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-no-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-no-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-no-ca_$side.conf; echo "$global" >> run-cert-no-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-no-ca_$side.conf; chmod 0600 run-cert-no-ca_left.conf; echo "cd /tmp\nput run-cert-no-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-no-ca_right.conf; echo "cd /tmp\nput run-cert-no-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-no-ca_left.conf run-cert-no-ca_right.conf sftp> cd /tmp sftp> put run-cert-no-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-no-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:34:39.883887 (authentic,confidential): SPI 0x5225c83a: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:34:39.884248 (authentic,confidential): SPI 0xf80452c9: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-config-address ==== flowtype=esp; config_address=172.16.13.36; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address_$side.conf; echo "FROM=\"$from\"" >> run-config-address_$side.conf; echo "TO=\"$to\"" >> run-config-address_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address_$side.conf; echo "$global" >> run-config-address_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address_$side.conf; echo "FROM=\"$from\"" >> run-config-address_$side.conf; echo "TO=\"$to\"" >> run-config-address_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address_$side.conf; echo "$global" >> run-config-address_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address_$side.conf; chmod 0600 run-config-address_left.conf; echo "cd /tmp\nput run-config-address_left.conf test.conf" | sftp -q ot3; chmod 0600 run-config-address_right.conf; echo "cd /tmp\nput run-config-address_right.conf test.conf" | sftp -q ot4; rm -f run-config-address_left.conf run-config-address_right.conf sftp> cd /tmp sftp> put run-config-address_left.conf test.conf sftp> cd /tmp sftp> put run-config-address_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" config_address=172.16.13.36; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi ==== run-config-address-pool ==== flowtype=esp; config_address=172.16.13.36/31; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address-pool_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address-pool_$side.conf; echo "FROM=\"$from\"" >> run-config-address-pool_$side.conf; echo "TO=\"$to\"" >> run-config-address-pool_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address-pool_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address-pool_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address-pool_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address-pool_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address-pool_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address-pool_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address-pool_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address-pool_$side.conf; echo "$global" >> run-config-address-pool_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address-pool_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address-pool_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address-pool_$side.conf; echo "FROM=\"$from\"" >> run-config-address-pool_$side.conf; echo "TO=\"$to\"" >> run-config-address-pool_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address-pool_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address-pool_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address-pool_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address-pool_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address-pool_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address-pool_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address-pool_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address-pool_$side.conf; echo "$global" >> run-config-address-pool_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address-pool_$side.conf; chmod 0600 run-config-address-pool_left.conf; echo "cd /tmp\nput run-config-address-pool_left.conf test.conf" | sftp -q ot3; chmod 0600 run-config-address-pool_right.conf; echo "cd /tmp\nput run-config-address-pool_right.conf test.conf" | sftp -q ot4; rm -f run-config-address-pool_left.conf run-config-address-pool_right.conf sftp> cd /tmp sftp> put run-config-address-pool_left.conf test.conf sftp> cd /tmp sftp> put run-config-address-pool_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" config_address=172.16.13.36/31; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi ==== run-dstid-fail ==== leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-fail_$side.conf; echo "FROM=\"$from\"" >> run-dstid-fail_$side.conf; echo "TO=\"$to\"" >> run-dstid-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-fail_$side.conf; echo "$global" >> run-dstid-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-fail_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid invalid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-fail_$side.conf; echo "FROM=\"$from\"" >> run-dstid-fail_$side.conf; echo "TO=\"$to\"" >> run-dstid-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-fail_$side.conf; echo "$global" >> run-dstid-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-fail_$side.conf; chmod 0600 run-dstid-fail_left.conf; echo "cd /tmp\nput run-dstid-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid-fail_right.conf; echo "cd /tmp\nput run-dstid-fail_right.conf test.conf" | sftp -q ot4; rm -f run-dstid-fail_left.conf run-dstid-fail_right.conf sftp> cd /tmp sftp> put run-dstid-fail_left.conf test.conf sftp> cd /tmp sftp> put run-dstid-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-dstid ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid_$side.conf; echo "FROM=\"$from\"" >> run-dstid_$side.conf; echo "TO=\"$to\"" >> run-dstid_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid_$side.conf; echo "$global" >> run-dstid_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid_$side.conf; echo "FROM=\"$from\"" >> run-dstid_$side.conf; echo "TO=\"$to\"" >> run-dstid_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid_$side.conf; echo "$global" >> run-dstid_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid_$side.conf; chmod 0600 run-dstid_left.conf; echo "cd /tmp\nput run-dstid_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid_right.conf; echo "cd /tmp\nput run-dstid_right.conf test.conf" | sftp -q ot4; rm -f run-dstid_left.conf run-dstid_right.conf sftp> cd /tmp sftp> put run-dstid_left.conf test.conf sftp> cd /tmp sftp> put run-dstid_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:35:20.923893 (authentic,confidential): SPI 0xe5c8d967: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:35:20.924245 (authentic,confidential): SPI 0x21c1378b: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-dstid-multi ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; dstid="dstid roflol"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; chmod 0600 run-dstid-multi_left.conf; echo "cd /tmp\nput run-dstid-multi_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid-multi_right.conf; echo "cd /tmp\nput run-dstid-multi_right.conf test.conf" | sftp -q ot4; rm -f run-dstid-multi_left.conf run-dstid-multi_right.conf sftp> cd /tmp sftp> put run-dstid-multi_left.conf test.conf sftp> cd /tmp sftp> put run-dstid-multi_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:35:32.263896 (authentic,confidential): SPI 0x839b7cdc: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:35:32.264240 (authentic,confidential): SPI 0x5604fe61: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-srcid-multi ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; side=right; mode=passive; srcid="borked"; local=10.188.43.24; peer=10.188.43.23; dstid=""; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; srcid=$rightid; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; srcid="roflol"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; chmod 0600 run-srcid-multi_left.conf; echo "cd /tmp\nput run-srcid-multi_left.conf test.conf" | sftp -q ot3; chmod 0600 run-srcid-multi_right.conf; echo "cd /tmp\nput run-srcid-multi_right.conf test.conf" | sftp -q ot4; rm -f run-srcid-multi_left.conf run-srcid-multi_right.conf sftp> cd /tmp sftp> put run-srcid-multi_left.conf test.conf sftp> cd /tmp sftp> put run-srcid-multi_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:35:43.783897 (authentic,confidential): SPI 0x8b546a12: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:35:43.784264 (authentic,confidential): SPI 0xbd7da053: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-multi-ca ==== flowtype=esp; leftid=left-from-ca-right; rightid=right-from-ca-left; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-multi-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-multi-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-multi-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-multi-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-multi-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-multi-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-multi-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-multi-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-multi-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-multi-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-multi-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-multi-ca_$side.conf; echo "$global" >> run-cert-multi-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-multi-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-multi-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-multi-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-multi-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-multi-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-multi-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-multi-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-multi-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-multi-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-multi-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-multi-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-multi-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-multi-ca_$side.conf; echo "$global" >> run-cert-multi-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-multi-ca_$side.conf; chmod 0600 run-cert-multi-ca_left.conf; echo "cd /tmp\nput run-cert-multi-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-multi-ca_right.conf; echo "cd /tmp\nput run-cert-multi-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-multi-ca_left.conf run-cert-multi-ca_right.conf sftp> cd /tmp sftp> put run-cert-multi-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-multi-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:35:55.173892 (authentic,confidential): SPI 0x1cb6d887: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:35:55.174237 (authentic,confidential): SPI 0x02e35d3e: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-second-altname ==== flowtype=esp; leftid=left-from-ca-both-alternative; rightid=right-from-ca-both@openbsd.org; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-second-altname_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-second-altname_$side.conf; echo "FROM=\"$from\"" >> run-cert-second-altname_$side.conf; echo "TO=\"$to\"" >> run-cert-second-altname_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-second-altname_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-second-altname_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-second-altname_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-second-altname_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-second-altname_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-second-altname_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-second-altname_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-second-altname_$side.conf; echo "$global" >> run-cert-second-altname_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-second-altname_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-second-altname_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-second-altname_$side.conf; echo "FROM=\"$from\"" >> run-cert-second-altname_$side.conf; echo "TO=\"$to\"" >> run-cert-second-altname_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-second-altname_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-second-altname_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-second-altname_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-second-altname_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-second-altname_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-second-altname_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-second-altname_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-second-altname_$side.conf; echo "$global" >> run-cert-second-altname_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-second-altname_$side.conf; chmod 0600 run-cert-second-altname_left.conf; echo "cd /tmp\nput run-cert-second-altname_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-second-altname_right.conf; echo "cd /tmp\nput run-cert-second-altname_right.conf test.conf" | sftp -q ot4; rm -f run-cert-second-altname_left.conf run-cert-second-altname_right.conf sftp> cd /tmp sftp> put run-cert-second-altname_left.conf test.conf sftp> cd /tmp sftp> put run-cert-second-altname_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:36:06.493918 (authentic,confidential): SPI 0x43883b0f: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:36:06.494262 (authentic,confidential): SPI 0xb33f9cb4: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-invalid-ke ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; ikesa="ikesa group ecp256 group curve25519"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-invalid-ke_$side.conf; echo "TMODE=\"$tmode\"" >> run-invalid-ke_$side.conf; echo "FROM=\"$from\"" >> run-invalid-ke_$side.conf; echo "TO=\"$to\"" >> run-invalid-ke_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-invalid-ke_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-invalid-ke_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-invalid-ke_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-invalid-ke_$side.conf; echo "DSTID=\"$dstid\"" >> run-invalid-ke_$side.conf; echo "AUTH=\"$authstr\"" >> run-invalid-ke_$side.conf; echo "CONFIG=\"$confstr\"" >> run-invalid-ke_$side.conf; echo "IKESA=\"$ikesa\"" >> run-invalid-ke_$side.conf; echo "$global" >> run-invalid-ke_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-invalid-ke_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; ikesa="ikesa group curve25519"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-invalid-ke_$side.conf; echo "TMODE=\"$tmode\"" >> run-invalid-ke_$side.conf; echo "FROM=\"$from\"" >> run-invalid-ke_$side.conf; echo "TO=\"$to\"" >> run-invalid-ke_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-invalid-ke_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-invalid-ke_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-invalid-ke_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-invalid-ke_$side.conf; echo "DSTID=\"$dstid\"" >> run-invalid-ke_$side.conf; echo "AUTH=\"$authstr\"" >> run-invalid-ke_$side.conf; echo "CONFIG=\"$confstr\"" >> run-invalid-ke_$side.conf; echo "IKESA=\"$ikesa\"" >> run-invalid-ke_$side.conf; echo "$global" >> run-invalid-ke_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-invalid-ke_$side.conf; chmod 0600 run-invalid-ke_left.conf; echo "cd /tmp\nput run-invalid-ke_left.conf test.conf" | sftp -q ot3; chmod 0600 run-invalid-ke_right.conf; echo "cd /tmp\nput run-invalid-ke_right.conf test.conf" | sftp -q ot4; rm -f run-invalid-ke_left.conf run-invalid-ke_right.conf sftp> cd /tmp sftp> put run-invalid-ke_left.conf test.conf sftp> cd /tmp sftp> put run-invalid-ke_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; maxwait=6; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:36:19.453966 (authentic,confidential): SPI 0x26f7a14f: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:36:19.454355 (authentic,confidential): SPI 0x550d972b: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-psk-fail ==== auth=psk; leftid=left-from-ca-both; rightid=right-from-ca-both; flowtype=esp; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; psk=`openssl rand -hex 20`; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk-fail_$side.conf; echo "FROM=\"$from\"" >> run-psk-fail_$side.conf; echo "TO=\"$to\"" >> run-psk-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk-fail_$side.conf; echo "$global" >> run-psk-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk-fail_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; psk=`openssl rand -hex 20`; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk-fail_$side.conf; echo "FROM=\"$from\"" >> run-psk-fail_$side.conf; echo "TO=\"$to\"" >> run-psk-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk-fail_$side.conf; echo "$global" >> run-psk-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk-fail_$side.conf; chmod 0600 run-psk-fail_left.conf; echo "cd /tmp\nput run-psk-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-psk-fail_right.conf; echo "cd /tmp\nput run-psk-fail_right.conf test.conf" | sftp -q ot4; rm -f run-psk-fail_left.conf run-psk-fail_right.conf sftp> cd /tmp sftp> put run-psk-fail_left.conf test.conf sftp> cd /tmp sftp> put run-psk-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-psk ==== auth=psk; leftid=left; rightid=right; flowtype=esp; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk_$side.conf; echo "FROM=\"$from\"" >> run-psk_$side.conf; echo "TO=\"$to\"" >> run-psk_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk_$side.conf; echo "$global" >> run-psk_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk_$side.conf; echo "FROM=\"$from\"" >> run-psk_$side.conf; echo "TO=\"$to\"" >> run-psk_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk_$side.conf; echo "$global" >> run-psk_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk_$side.conf; chmod 0600 run-psk_left.conf; echo "cd /tmp\nput run-psk_left.conf test.conf" | sftp -q ot3; chmod 0600 run-psk_right.conf; echo "cd /tmp\nput run-psk_right.conf test.conf" | sftp -q ot4; rm -f run-psk_left.conf run-psk_right.conf sftp> cd /tmp sftp> put run-psk_left.conf test.conf sftp> cd /tmp sftp> put run-psk_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:36:47.643920 (authentic,confidential): SPI 0xdc635357: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:36:47.644330 (authentic,confidential): SPI 0x02728d6b: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-intermediate-fail ==== leftid=left-from-intermediate-from-ca-none; rightid=right-from-intermediate-from-ca-none; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate-fail_$side.conf; echo "FROM=\"$from\"" >> run-intermediate-fail_$side.conf; echo "TO=\"$to\"" >> run-intermediate-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate-fail_$side.conf; echo "$global" >> run-intermediate-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate-fail_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate-fail_$side.conf; echo "FROM=\"$from\"" >> run-intermediate-fail_$side.conf; echo "TO=\"$to\"" >> run-intermediate-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate-fail_$side.conf; echo "$global" >> run-intermediate-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate-fail_$side.conf; chmod 0600 run-intermediate-fail_left.conf; echo "cd /tmp\nput run-intermediate-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-intermediate-fail_right.conf; echo "cd /tmp\nput run-intermediate-fail_right.conf test.conf" | sftp -q ot4; rm -f run-intermediate-fail_left.conf run-intermediate-fail_right.conf sftp> cd /tmp sftp> put run-intermediate-fail_left.conf test.conf sftp> cd /tmp sftp> put run-intermediate-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-intermediate ==== intermediate=true; leftid=left-from-intermediate-from-ca-none; rightid=right-from-intermediate-from-ca-none; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate_$side.conf; echo "FROM=\"$from\"" >> run-intermediate_$side.conf; echo "TO=\"$to\"" >> run-intermediate_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate_$side.conf; echo "$global" >> run-intermediate_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate_$side.conf; echo "FROM=\"$from\"" >> run-intermediate_$side.conf; echo "TO=\"$to\"" >> run-intermediate_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate_$side.conf; echo "$global" >> run-intermediate_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate_$side.conf; chmod 0600 run-intermediate_left.conf; echo "cd /tmp\nput run-intermediate_left.conf test.conf" | sftp -q ot3; chmod 0600 run-intermediate_right.conf; echo "cd /tmp\nput run-intermediate_right.conf test.conf" | sftp -q ot4; rm -f run-intermediate_left.conf run-intermediate_right.conf sftp> cd /tmp sftp> put run-intermediate_left.conf test.conf sftp> cd /tmp sftp> put run-intermediate_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC 17:37:12.823926 (authentic,confidential): SPI 0x173c4015: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:37:12.824419 (authentic,confidential): SPI 0x9a06ac88: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-fragmentation ==== flowtype=esp; fragmentation=true; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-fragmentation_$side.conf; echo "TMODE=\"$tmode\"" >> run-fragmentation_$side.conf; echo "FROM=\"$from\"" >> run-fragmentation_$side.conf; echo "TO=\"$to\"" >> run-fragmentation_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-fragmentation_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-fragmentation_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-fragmentation_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-fragmentation_$side.conf; echo "DSTID=\"$dstid\"" >> run-fragmentation_$side.conf; echo "AUTH=\"$authstr\"" >> run-fragmentation_$side.conf; echo "CONFIG=\"$confstr\"" >> run-fragmentation_$side.conf; echo "IKESA=\"$ikesa\"" >> run-fragmentation_$side.conf; echo "$global" >> run-fragmentation_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-fragmentation_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-fragmentation_$side.conf; echo "TMODE=\"$tmode\"" >> run-fragmentation_$side.conf; echo "FROM=\"$from\"" >> run-fragmentation_$side.conf; echo "TO=\"$to\"" >> run-fragmentation_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-fragmentation_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-fragmentation_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-fragmentation_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-fragmentation_$side.conf; echo "DSTID=\"$dstid\"" >> run-fragmentation_$side.conf; echo "AUTH=\"$authstr\"" >> run-fragmentation_$side.conf; echo "CONFIG=\"$confstr\"" >> run-fragmentation_$side.conf; echo "IKESA=\"$ikesa\"" >> run-fragmentation_$side.conf; echo "$global" >> run-fragmentation_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-fragmentation_$side.conf; chmod 0600 run-fragmentation_left.conf; echo "cd /tmp\nput run-fragmentation_left.conf test.conf" | sftp -q ot3; chmod 0600 run-fragmentation_right.conf; echo "cd /tmp\nput run-fragmentation_right.conf test.conf" | sftp -q ot4; rm -f run-fragmentation_left.conf run-fragmentation_right.conf sftp> cd /tmp sftp> put run-fragmentation_left.conf test.conf sftp> cd /tmp sftp> put run-fragmentation_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:37:29.172364 (authentic,confidential): SPI 0x9ff4a2d5: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) 17:37:30.134000 (authentic,confidential): SPI 0x7e1dbda7: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) ==== run-transport ==== flowtype=esp; tmode=transport; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-transport_$side.conf; echo "TMODE=\"$tmode\"" >> run-transport_$side.conf; echo "FROM=\"$from\"" >> run-transport_$side.conf; echo "TO=\"$to\"" >> run-transport_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-transport_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-transport_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-transport_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-transport_$side.conf; echo "DSTID=\"$dstid\"" >> run-transport_$side.conf; echo "AUTH=\"$authstr\"" >> run-transport_$side.conf; echo "CONFIG=\"$confstr\"" >> run-transport_$side.conf; echo "IKESA=\"$ikesa\"" >> run-transport_$side.conf; echo "$global" >> run-transport_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-transport_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-transport_$side.conf; echo "TMODE=\"$tmode\"" >> run-transport_$side.conf; echo "FROM=\"$from\"" >> run-transport_$side.conf; echo "TO=\"$to\"" >> run-transport_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-transport_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-transport_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-transport_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-transport_$side.conf; echo "DSTID=\"$dstid\"" >> run-transport_$side.conf; echo "AUTH=\"$authstr\"" >> run-transport_$side.conf; echo "CONFIG=\"$confstr\"" >> run-transport_$side.conf; echo "IKESA=\"$ikesa\"" >> run-transport_$side.conf; echo "$global" >> run-transport_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-transport_$side.conf; chmod 0600 run-transport_left.conf; echo "cd /tmp\nput run-transport_left.conf test.conf" | sftp -q ot3; chmod 0600 run-transport_right.conf; echo "cd /tmp\nput run-transport_right.conf test.conf" | sftp -q ot4; rm -f run-transport_left.conf run-transport_right.conf sftp> cd /tmp sftp> put run-transport_left.conf test.conf sftp> cd /tmp sftp> put run-transport_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" tmode=transport; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:37:43.394014 (authentic,confidential): SPI 0x2964ab60: 10.188.43.23 > 10.188.43.24: icmp: echo request 17:37:43.394311 (authentic,confidential): SPI 0xb986ee17: 10.188.43.24 > 10.188.43.23: icmp: echo reply ==== run-singleikesa ==== flowtype=esp; singleikesa=true; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-singleikesa_$side.conf; echo "TMODE=\"$tmode\"" >> run-singleikesa_$side.conf; echo "FROM=\"$from\"" >> run-singleikesa_$side.conf; echo "TO=\"$to\"" >> run-singleikesa_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-singleikesa_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-singleikesa_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-singleikesa_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-singleikesa_$side.conf; echo "DSTID=\"$dstid\"" >> run-singleikesa_$side.conf; echo "AUTH=\"$authstr\"" >> run-singleikesa_$side.conf; echo "CONFIG=\"$confstr\"" >> run-singleikesa_$side.conf; echo "IKESA=\"$ikesa\"" >> run-singleikesa_$side.conf; echo "$global" >> run-singleikesa_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-singleikesa_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-singleikesa_$side.conf; echo "TMODE=\"$tmode\"" >> run-singleikesa_$side.conf; echo "FROM=\"$from\"" >> run-singleikesa_$side.conf; echo "TO=\"$to\"" >> run-singleikesa_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-singleikesa_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-singleikesa_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-singleikesa_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-singleikesa_$side.conf; echo "DSTID=\"$dstid\"" >> run-singleikesa_$side.conf; echo "AUTH=\"$authstr\"" >> run-singleikesa_$side.conf; echo "CONFIG=\"$confstr\"" >> run-singleikesa_$side.conf; echo "IKESA=\"$ikesa\"" >> run-singleikesa_$side.conf; echo "$global" >> run-singleikesa_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-singleikesa_$side.conf; chmod 0600 run-singleikesa_left.conf; echo "cd /tmp\nput run-singleikesa_left.conf test.conf" | sftp -q ot3; chmod 0600 run-singleikesa_right.conf; echo "cd /tmp\nput run-singleikesa_right.conf test.conf" | sftp -q ot4; rm -f run-singleikesa_left.conf run-singleikesa_right.conf sftp> cd /tmp sftp> put run-singleikesa_left.conf test.conf sftp> cd /tmp sftp> put run-singleikesa_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" sleep 1; ssh ot4 "ikectl reload"; sleep 3; count=`ssh ot3 "ikectl show sa | grep -c iked_sas"`; if [[ "$count" != "1" ]]; then echo "error: too many IKE SAs."; exit 1; fi ==== run-ipcomp ==== flowtype=ipcomp; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-ipcomp_$side.conf; echo "TMODE=\"$tmode\"" >> run-ipcomp_$side.conf; echo "FROM=\"$from\"" >> run-ipcomp_$side.conf; echo "TO=\"$to\"" >> run-ipcomp_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-ipcomp_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-ipcomp_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-ipcomp_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-ipcomp_$side.conf; echo "DSTID=\"$dstid\"" >> run-ipcomp_$side.conf; echo "AUTH=\"$authstr\"" >> run-ipcomp_$side.conf; echo "CONFIG=\"$confstr\"" >> run-ipcomp_$side.conf; echo "IKESA=\"$ikesa\"" >> run-ipcomp_$side.conf; echo "$global" >> run-ipcomp_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-ipcomp_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-ipcomp_$side.conf; echo "TMODE=\"$tmode\"" >> run-ipcomp_$side.conf; echo "FROM=\"$from\"" >> run-ipcomp_$side.conf; echo "TO=\"$to\"" >> run-ipcomp_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-ipcomp_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-ipcomp_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-ipcomp_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-ipcomp_$side.conf; echo "DSTID=\"$dstid\"" >> run-ipcomp_$side.conf; echo "AUTH=\"$authstr\"" >> run-ipcomp_$side.conf; echo "CONFIG=\"$confstr\"" >> run-ipcomp_$side.conf; echo "IKESA=\"$ikesa\"" >> run-ipcomp_$side.conf; echo "$global" >> run-ipcomp_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-ipcomp_$side.conf; chmod 0600 run-ipcomp_left.conf; echo "cd /tmp\nput run-ipcomp_left.conf test.conf" | sftp -q ot3; chmod 0600 run-ipcomp_right.conf; echo "cd /tmp\nput run-ipcomp_right.conf test.conf" | sftp -q ot4; rm -f run-ipcomp_left.conf run-ipcomp_right.conf sftp> cd /tmp sftp> put run-ipcomp_left.conf test.conf sftp> cd /tmp sftp> put run-ipcomp_right.conf test.conf sysctl="net.inet.ipcomp.enable=1"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl" net.inet.ipcomp.enable: 0 -> 1 net.inet.ipcomp.enable: 0 -> 1 ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=ipcomp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:38:05.873900 (authentic,confidential): SPI 0x038c885b: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:38:05.874295 (authentic,confidential): SPI 0x91158928: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-udpencap-port ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-udpencap-port_$side.conf; echo "TMODE=\"$tmode\"" >> run-udpencap-port_$side.conf; echo "FROM=\"$from\"" >> run-udpencap-port_$side.conf; echo "TO=\"$to\"" >> run-udpencap-port_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-udpencap-port_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-udpencap-port_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-udpencap-port_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-udpencap-port_$side.conf; echo "DSTID=\"$dstid\"" >> run-udpencap-port_$side.conf; echo "AUTH=\"$authstr\"" >> run-udpencap-port_$side.conf; echo "CONFIG=\"$confstr\"" >> run-udpencap-port_$side.conf; echo "IKESA=\"$ikesa\"" >> run-udpencap-port_$side.conf; echo "$global" >> run-udpencap-port_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-udpencap-port_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-udpencap-port_$side.conf; echo "TMODE=\"$tmode\"" >> run-udpencap-port_$side.conf; echo "FROM=\"$from\"" >> run-udpencap-port_$side.conf; echo "TO=\"$to\"" >> run-udpencap-port_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-udpencap-port_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-udpencap-port_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-udpencap-port_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-udpencap-port_$side.conf; echo "DSTID=\"$dstid\"" >> run-udpencap-port_$side.conf; echo "AUTH=\"$authstr\"" >> run-udpencap-port_$side.conf; echo "CONFIG=\"$confstr\"" >> run-udpencap-port_$side.conf; echo "IKESA=\"$ikesa\"" >> run-udpencap-port_$side.conf; echo "$global" >> run-udpencap-port_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-udpencap-port_$side.conf; chmod 0600 run-udpencap-port_left.conf; echo "cd /tmp\nput run-udpencap-port_left.conf test.conf" | sftp -q ot3; chmod 0600 run-udpencap-port_right.conf; echo "cd /tmp\nput run-udpencap-port_right.conf test.conf" | sftp -q ot4; rm -f run-udpencap-port_left.conf run-udpencap-port_right.conf; sysctl="net.inet.esp.udpencap_port=9999"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl"; sftp> cd /tmp sftp> put run-udpencap-port_left.conf test.conf sftp> cd /tmp sftp> put run-udpencap-port_right.conf test.conf net.inet.esp.udpencap_port: 4500 -> 9999 net.inet.esp.udpencap_port: 4500 -> 9999 iked_flags=-p9999; ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:38:18.943899 (authentic,confidential): SPI 0x09d52b42: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:38:18.944244 (authentic,confidential): SPI 0x5eca762e: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) sysctl="net.inet.esp.udpencap_port=4500"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl"; net.inet.esp.udpencap_port: 9999 -> 4500 net.inet.esp.udpencap_port: 9999 -> 4500 ==== cleanup ==== ssh ot3 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; sysctl "net.inet.esp.udpencap_port=4500"; rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;' net.inet.esp.udpencap_port: 4500 -> 4500 pf disabled ssh ot4 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; sysctl "net.inet.esp.udpencap_port=4500"; rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;' net.inet.esp.udpencap_port: 4500 -> 4500 pf disabled PASS sbin/iked/live Duration 4m39.20s