START sbin/iked/live 2024-07-05T03:16:08Z ==== setup ==== echo "cd /tmp\nput /usr/src/regress/sbin/iked/live/pf.in pf.conf" | sftp -q ot3 sftp> cd /tmp sftp> put /usr/src/regress/sbin/iked/live/pf.in pf.conf echo "cd /tmp\nput /usr/src/regress/sbin/iked/live/pf.in pf.conf" | sftp -q ot4 sftp> cd /tmp sftp> put /usr/src/regress/sbin/iked/live/pf.in pf.conf ssh ot3 "pfctl -f /tmp/pf.conf; pfctl -e" pf enabled ssh ot4 "pfctl -f /tmp/pf.conf; pfctl -e" pf enabled caname=ca-both; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus .................................................................................................... ........................................................................................ e is 65537 (0x010001) caname=ca-right; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus ............................... .............. e is 65537 (0x010001) caname=ca-none; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus ........................................................ ................................... e is 65537 (0x010001) caname=ca-none name=intermediate; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl genrsa -out $name-from-$caname.key 2048; openssl req -config $name-from-$caname.cnf -new -key $name-from-$caname.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions v3_intermediate_ca -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Generating RSA private key, 2048 bit long modulus ..................................................................................................................................................................................................................... .............................................................................................. e is 65537 (0x010001) Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=intermediate-from-ca-none openssl genrsa -out left.key 2048 Generating RSA private key, 2048 bit long modulus ........................................................................................ ...... e is 65537 (0x010001) caname=ca-both; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both caname=ca-left; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus .................................... ...... e is 65537 (0x010001) openssl genrsa -out right.key 2048 Generating RSA private key, 2048 bit long modulus ............................ ............................................................................ e is 65537 (0x010001) caname=ca-both; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both caname=ca-left; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-left caname=ca-right; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-right caname=ca-none; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-none caname=ca-none; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-none caname=intermediate-from-ca-none; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-intermediate-from-ca-none caname=intermediate-from-ca-none; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-intermediate-from-ca-none echo "cd /etc/iked\n put left-from-ca-both.crt certs\n put left-from-ca-right.crt certs\n put left-from-ca-none.crt certs\n put left-from-intermediate-from-ca-none.crt certs\n put right-from-ca-none.crt certs\n put left.key private/local.key\n put intermediate-from-ca-none.crt ca\n put ca-left.crt ca\n put ca-both.crt ca\n" | sftp ot3 -q; echo "cd /etc/iked\n put right-from-ca-both.crt certs\n put right-from-ca-left.crt certs\n put right-from-ca-none.crt certs\n put right-from-intermediate-from-ca-none.crt certs\n put left-from-ca-none.crt certs\n put right.key private/local.key\n put intermediate-from-ca-none.crt ca\n put ca-right.crt ca\n put ca-both.crt ca\n" | sftp ot4 -q; ssh ot3 "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"; ssh ot4 "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub" Connected to ot3. sftp> cd /etc/iked sftp> put left-from-ca-both.crt certs Uploading left-from-ca-both.crt to /etc/iked/certs/left-from-ca-both.crt sftp> put left-from-ca-right.crt certs Uploading left-from-ca-right.crt to /etc/iked/certs/left-from-ca-right.crt sftp> put left-from-ca-none.crt certs Uploading left-from-ca-none.crt to /etc/iked/certs/left-from-ca-none.crt sftp> put left-from-intermediate-from-ca-none.crt certs Uploading left-from-intermediate-from-ca-none.crt to /etc/iked/certs/left-from-intermediate-from-ca-none.crt sftp> put right-from-ca-none.crt certs Uploading right-from-ca-none.crt to /etc/iked/certs/right-from-ca-none.crt sftp> put left.key private/local.key Uploading left.key to /etc/iked/private/local.key sftp> put intermediate-from-ca-none.crt ca Uploading intermediate-from-ca-none.crt to /etc/iked/ca/intermediate-from-ca-none.crt sftp> put ca-left.crt ca Uploading ca-left.crt to /etc/iked/ca/ca-left.crt sftp> put ca-both.crt ca Uploading ca-both.crt to /etc/iked/ca/ca-both.crt sftp> Connected to ot4. sftp> cd /etc/iked sftp> put right-from-ca-both.crt certs Uploading right-from-ca-both.crt to /etc/iked/certs/right-from-ca-both.crt sftp> put right-from-ca-left.crt certs Uploading right-from-ca-left.crt to /etc/iked/certs/right-from-ca-left.crt sftp> put right-from-ca-none.crt certs Uploading right-from-ca-none.crt to /etc/iked/certs/right-from-ca-none.crt sftp> put right-from-intermediate-from-ca-none.crt certs Uploading right-from-intermediate-from-ca-none.crt to /etc/iked/certs/right-from-intermediate-from-ca-none.crt sftp> put left-from-ca-none.crt certs Uploading left-from-ca-none.crt to /etc/iked/certs/left-from-ca-none.crt sftp> put right.key private/local.key Uploading right.key to /etc/iked/private/local.key sftp> put intermediate-from-ca-none.crt ca Uploading intermediate-from-ca-none.crt to /etc/iked/ca/intermediate-from-ca-none.crt sftp> put ca-right.crt ca Uploading ca-right.crt to /etc/iked/ca/ca-right.crt sftp> put ca-both.crt ca Uploading ca-both.crt to /etc/iked/ca/ca-both.crt sftp> writing RSA key writing RSA key ==== run-ping-fail ==== ssh ot3 "ipsecctl -F; pkill iked || true" ssh ot4 "ipsecctl -F; pkill iked || true" _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-cert-single-ca ==== leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca_$side.conf; echo "$global" >> run-cert-single-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca_$side.conf; echo "$global" >> run-cert-single-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca_$side.conf; chmod 0600 run-cert-single-ca_left.conf; echo "cd /tmp\nput run-cert-single-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-single-ca_right.conf; echo "cd /tmp\nput run-cert-single-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-single-ca_left.conf run-cert-single-ca_right.conf sftp> cd /tmp sftp> put run-cert-single-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-single-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:16:37.292386 (authentic,confidential): SPI 0xa2f94bbb: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:16:37.292703 (authentic,confidential): SPI 0x06d1da93: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-single-ca-asn1dn ==== leftid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both"; rightid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both"; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "$global" >> run-cert-single-ca-asn1dn_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca-asn1dn_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "$global" >> run-cert-single-ca-asn1dn_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca-asn1dn_$side.conf; chmod 0600 run-cert-single-ca-asn1dn_left.conf; echo "cd /tmp\nput run-cert-single-ca-asn1dn_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-single-ca-asn1dn_right.conf; echo "cd /tmp\nput run-cert-single-ca-asn1dn_right.conf test.conf" | sftp -q ot4; rm -f run-cert-single-ca-asn1dn_left.conf run-cert-single-ca-asn1dn_right.conf sftp> cd /tmp sftp> put run-cert-single-ca-asn1dn_left.conf test.conf sftp> cd /tmp sftp> put run-cert-single-ca-asn1dn_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:16:48.352412 (authentic,confidential): SPI 0x36dd09e6: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:16:48.352704 (authentic,confidential): SPI 0x6e68f5ec: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-no-ca ==== leftid=left-from-ca-none; rightid=right-from-ca-none; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-no-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-no-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-no-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-no-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-no-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-no-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-no-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-no-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-no-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-no-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-no-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-no-ca_$side.conf; echo "$global" >> run-cert-no-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-no-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-no-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-no-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-no-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-no-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-no-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-no-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-no-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-no-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-no-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-no-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-no-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-no-ca_$side.conf; echo "$global" >> run-cert-no-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-no-ca_$side.conf; chmod 0600 run-cert-no-ca_left.conf; echo "cd /tmp\nput run-cert-no-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-no-ca_right.conf; echo "cd /tmp\nput run-cert-no-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-no-ca_left.conf run-cert-no-ca_right.conf sftp> cd /tmp sftp> put run-cert-no-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-no-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:16:59.402328 (authentic,confidential): SPI 0x349db249: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:16:59.402656 (authentic,confidential): SPI 0x1e0ce9a1: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-config-address ==== flowtype=esp; config_address=172.16.13.36; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address_$side.conf; echo "FROM=\"$from\"" >> run-config-address_$side.conf; echo "TO=\"$to\"" >> run-config-address_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address_$side.conf; echo "$global" >> run-config-address_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address_$side.conf; echo "FROM=\"$from\"" >> run-config-address_$side.conf; echo "TO=\"$to\"" >> run-config-address_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address_$side.conf; echo "$global" >> run-config-address_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address_$side.conf; chmod 0600 run-config-address_left.conf; echo "cd /tmp\nput run-config-address_left.conf test.conf" | sftp -q ot3; chmod 0600 run-config-address_right.conf; echo "cd /tmp\nput run-config-address_right.conf test.conf" | sftp -q ot4; rm -f run-config-address_left.conf run-config-address_right.conf sftp> cd /tmp sftp> put run-config-address_left.conf test.conf sftp> cd /tmp sftp> put run-config-address_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" config_address=172.16.13.36; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi ==== run-config-address-pool ==== flowtype=esp; config_address=172.16.13.36/31; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address-pool_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address-pool_$side.conf; echo "FROM=\"$from\"" >> run-config-address-pool_$side.conf; echo "TO=\"$to\"" >> run-config-address-pool_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address-pool_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address-pool_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address-pool_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address-pool_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address-pool_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address-pool_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address-pool_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address-pool_$side.conf; echo "$global" >> run-config-address-pool_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address-pool_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address-pool_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address-pool_$side.conf; echo "FROM=\"$from\"" >> run-config-address-pool_$side.conf; echo "TO=\"$to\"" >> run-config-address-pool_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address-pool_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address-pool_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address-pool_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address-pool_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address-pool_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address-pool_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address-pool_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address-pool_$side.conf; echo "$global" >> run-config-address-pool_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address-pool_$side.conf; chmod 0600 run-config-address-pool_left.conf; echo "cd /tmp\nput run-config-address-pool_left.conf test.conf" | sftp -q ot3; chmod 0600 run-config-address-pool_right.conf; echo "cd /tmp\nput run-config-address-pool_right.conf test.conf" | sftp -q ot4; rm -f run-config-address-pool_left.conf run-config-address-pool_right.conf sftp> cd /tmp sftp> put run-config-address-pool_left.conf test.conf sftp> cd /tmp sftp> put run-config-address-pool_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" config_address=172.16.13.36/31; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi ==== run-dstid-fail ==== leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-fail_$side.conf; echo "FROM=\"$from\"" >> run-dstid-fail_$side.conf; echo "TO=\"$to\"" >> run-dstid-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-fail_$side.conf; echo "$global" >> run-dstid-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-fail_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid invalid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-fail_$side.conf; echo "FROM=\"$from\"" >> run-dstid-fail_$side.conf; echo "TO=\"$to\"" >> run-dstid-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-fail_$side.conf; echo "$global" >> run-dstid-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-fail_$side.conf; chmod 0600 run-dstid-fail_left.conf; echo "cd /tmp\nput run-dstid-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid-fail_right.conf; echo "cd /tmp\nput run-dstid-fail_right.conf test.conf" | sftp -q ot4; rm -f run-dstid-fail_left.conf run-dstid-fail_right.conf sftp> cd /tmp sftp> put run-dstid-fail_left.conf test.conf sftp> cd /tmp sftp> put run-dstid-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-dstid ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid_$side.conf; echo "FROM=\"$from\"" >> run-dstid_$side.conf; echo "TO=\"$to\"" >> run-dstid_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid_$side.conf; echo "$global" >> run-dstid_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid_$side.conf; echo "FROM=\"$from\"" >> run-dstid_$side.conf; echo "TO=\"$to\"" >> run-dstid_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid_$side.conf; echo "$global" >> run-dstid_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid_$side.conf; chmod 0600 run-dstid_left.conf; echo "cd /tmp\nput run-dstid_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid_right.conf; echo "cd /tmp\nput run-dstid_right.conf test.conf" | sftp -q ot4; rm -f run-dstid_left.conf run-dstid_right.conf sftp> cd /tmp sftp> put run-dstid_left.conf test.conf sftp> cd /tmp sftp> put run-dstid_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:17:38.942329 (authentic,confidential): SPI 0x32846f78: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:17:38.942647 (authentic,confidential): SPI 0x2fd925de: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-dstid-multi ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; dstid="dstid roflol"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; chmod 0600 run-dstid-multi_left.conf; echo "cd /tmp\nput run-dstid-multi_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid-multi_right.conf; echo "cd /tmp\nput run-dstid-multi_right.conf test.conf" | sftp -q ot4; rm -f run-dstid-multi_left.conf run-dstid-multi_right.conf sftp> cd /tmp sftp> put run-dstid-multi_left.conf test.conf sftp> cd /tmp sftp> put run-dstid-multi_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:17:49.982439 (authentic,confidential): SPI 0x6e950463: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:17:49.982731 (authentic,confidential): SPI 0x791e3b8e: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-srcid-multi ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; side=right; mode=passive; srcid="borked"; local=10.188.43.24; peer=10.188.43.23; dstid=""; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; srcid=$rightid; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; srcid="roflol"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; chmod 0600 run-srcid-multi_left.conf; echo "cd /tmp\nput run-srcid-multi_left.conf test.conf" | sftp -q ot3; chmod 0600 run-srcid-multi_right.conf; echo "cd /tmp\nput run-srcid-multi_right.conf test.conf" | sftp -q ot4; rm -f run-srcid-multi_left.conf run-srcid-multi_right.conf sftp> cd /tmp sftp> put run-srcid-multi_left.conf test.conf sftp> cd /tmp sftp> put run-srcid-multi_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:18:01.022326 (authentic,confidential): SPI 0x70e96a28: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:18:01.022652 (authentic,confidential): SPI 0xa5863e5f: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-multi-ca ==== flowtype=esp; leftid=left-from-ca-right; rightid=right-from-ca-left; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-multi-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-multi-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-multi-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-multi-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-multi-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-multi-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-multi-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-multi-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-multi-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-multi-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-multi-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-multi-ca_$side.conf; echo "$global" >> run-cert-multi-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-multi-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-multi-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-multi-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-multi-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-multi-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-multi-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-multi-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-multi-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-multi-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-multi-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-multi-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-multi-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-multi-ca_$side.conf; echo "$global" >> run-cert-multi-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-multi-ca_$side.conf; chmod 0600 run-cert-multi-ca_left.conf; echo "cd /tmp\nput run-cert-multi-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-multi-ca_right.conf; echo "cd /tmp\nput run-cert-multi-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-multi-ca_left.conf run-cert-multi-ca_right.conf sftp> cd /tmp sftp> put run-cert-multi-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-multi-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:18:12.032450 (authentic,confidential): SPI 0xe89ccbc5: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:18:12.032742 (authentic,confidential): SPI 0xc2495bbd: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-second-altname ==== flowtype=esp; leftid=left-from-ca-both-alternative; rightid=right-from-ca-both@openbsd.org; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-second-altname_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-second-altname_$side.conf; echo "FROM=\"$from\"" >> run-cert-second-altname_$side.conf; echo "TO=\"$to\"" >> run-cert-second-altname_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-second-altname_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-second-altname_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-second-altname_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-second-altname_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-second-altname_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-second-altname_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-second-altname_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-second-altname_$side.conf; echo "$global" >> run-cert-second-altname_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-second-altname_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-second-altname_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-second-altname_$side.conf; echo "FROM=\"$from\"" >> run-cert-second-altname_$side.conf; echo "TO=\"$to\"" >> run-cert-second-altname_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-second-altname_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-second-altname_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-second-altname_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-second-altname_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-second-altname_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-second-altname_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-second-altname_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-second-altname_$side.conf; echo "$global" >> run-cert-second-altname_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-second-altname_$side.conf; chmod 0600 run-cert-second-altname_left.conf; echo "cd /tmp\nput run-cert-second-altname_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-second-altname_right.conf; echo "cd /tmp\nput run-cert-second-altname_right.conf test.conf" | sftp -q ot4; rm -f run-cert-second-altname_left.conf run-cert-second-altname_right.conf sftp> cd /tmp sftp> put run-cert-second-altname_left.conf test.conf sftp> cd /tmp sftp> put run-cert-second-altname_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:18:23.092404 (authentic,confidential): SPI 0xd265dd68: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:18:23.092717 (authentic,confidential): SPI 0x8d58ea09: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-invalid-ke ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; ikesa="ikesa group ecp256 group curve25519"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-invalid-ke_$side.conf; echo "TMODE=\"$tmode\"" >> run-invalid-ke_$side.conf; echo "FROM=\"$from\"" >> run-invalid-ke_$side.conf; echo "TO=\"$to\"" >> run-invalid-ke_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-invalid-ke_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-invalid-ke_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-invalid-ke_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-invalid-ke_$side.conf; echo "DSTID=\"$dstid\"" >> run-invalid-ke_$side.conf; echo "AUTH=\"$authstr\"" >> run-invalid-ke_$side.conf; echo "CONFIG=\"$confstr\"" >> run-invalid-ke_$side.conf; echo "IKESA=\"$ikesa\"" >> run-invalid-ke_$side.conf; echo "$global" >> run-invalid-ke_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-invalid-ke_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; ikesa="ikesa group curve25519"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-invalid-ke_$side.conf; echo "TMODE=\"$tmode\"" >> run-invalid-ke_$side.conf; echo "FROM=\"$from\"" >> run-invalid-ke_$side.conf; echo "TO=\"$to\"" >> run-invalid-ke_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-invalid-ke_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-invalid-ke_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-invalid-ke_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-invalid-ke_$side.conf; echo "DSTID=\"$dstid\"" >> run-invalid-ke_$side.conf; echo "AUTH=\"$authstr\"" >> run-invalid-ke_$side.conf; echo "CONFIG=\"$confstr\"" >> run-invalid-ke_$side.conf; echo "IKESA=\"$ikesa\"" >> run-invalid-ke_$side.conf; echo "$global" >> run-invalid-ke_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-invalid-ke_$side.conf; chmod 0600 run-invalid-ke_left.conf; echo "cd /tmp\nput run-invalid-ke_left.conf test.conf" | sftp -q ot3; chmod 0600 run-invalid-ke_right.conf; echo "cd /tmp\nput run-invalid-ke_right.conf test.conf" | sftp -q ot4; rm -f run-invalid-ke_left.conf run-invalid-ke_right.conf sftp> cd /tmp sftp> put run-invalid-ke_left.conf test.conf sftp> cd /tmp sftp> put run-invalid-ke_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; maxwait=6; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:18:35.662360 (authentic,confidential): SPI 0x7f44d6ca: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:18:35.662666 (authentic,confidential): SPI 0x690552a0: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-psk-fail ==== auth=psk; leftid=left-from-ca-both; rightid=right-from-ca-both; flowtype=esp; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; psk=`openssl rand -hex 20`; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk-fail_$side.conf; echo "FROM=\"$from\"" >> run-psk-fail_$side.conf; echo "TO=\"$to\"" >> run-psk-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk-fail_$side.conf; echo "$global" >> run-psk-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk-fail_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; psk=`openssl rand -hex 20`; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk-fail_$side.conf; echo "FROM=\"$from\"" >> run-psk-fail_$side.conf; echo "TO=\"$to\"" >> run-psk-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk-fail_$side.conf; echo "$global" >> run-psk-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk-fail_$side.conf; chmod 0600 run-psk-fail_left.conf; echo "cd /tmp\nput run-psk-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-psk-fail_right.conf; echo "cd /tmp\nput run-psk-fail_right.conf test.conf" | sftp -q ot4; rm -f run-psk-fail_left.conf run-psk-fail_right.conf sftp> cd /tmp sftp> put run-psk-fail_left.conf test.conf sftp> cd /tmp sftp> put run-psk-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-psk ==== auth=psk; leftid=left; rightid=right; flowtype=esp; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk_$side.conf; echo "FROM=\"$from\"" >> run-psk_$side.conf; echo "TO=\"$to\"" >> run-psk_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk_$side.conf; echo "$global" >> run-psk_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk_$side.conf; echo "FROM=\"$from\"" >> run-psk_$side.conf; echo "TO=\"$to\"" >> run-psk_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk_$side.conf; echo "$global" >> run-psk_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk_$side.conf; chmod 0600 run-psk_left.conf; echo "cd /tmp\nput run-psk_left.conf test.conf" | sftp -q ot3; chmod 0600 run-psk_right.conf; echo "cd /tmp\nput run-psk_right.conf test.conf" | sftp -q ot4; rm -f run-psk_left.conf run-psk_right.conf sftp> cd /tmp sftp> put run-psk_left.conf test.conf sftp> cd /tmp sftp> put run-psk_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:19:02.812454 (authentic,confidential): SPI 0x918b7378: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:19:02.812726 (authentic,confidential): SPI 0x0259594c: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-intermediate-fail ==== leftid=left-from-intermediate-from-ca-none; rightid=right-from-intermediate-from-ca-none; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate-fail_$side.conf; echo "FROM=\"$from\"" >> run-intermediate-fail_$side.conf; echo "TO=\"$to\"" >> run-intermediate-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate-fail_$side.conf; echo "$global" >> run-intermediate-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate-fail_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate-fail_$side.conf; echo "FROM=\"$from\"" >> run-intermediate-fail_$side.conf; echo "TO=\"$to\"" >> run-intermediate-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate-fail_$side.conf; echo "$global" >> run-intermediate-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate-fail_$side.conf; chmod 0600 run-intermediate-fail_left.conf; echo "cd /tmp\nput run-intermediate-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-intermediate-fail_right.conf; echo "cd /tmp\nput run-intermediate-fail_right.conf test.conf" | sftp -q ot4; rm -f run-intermediate-fail_left.conf run-intermediate-fail_right.conf sftp> cd /tmp sftp> put run-intermediate-fail_left.conf test.conf sftp> cd /tmp sftp> put run-intermediate-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-intermediate ==== intermediate=true; leftid=left-from-intermediate-from-ca-none; rightid=right-from-intermediate-from-ca-none; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate_$side.conf; echo "FROM=\"$from\"" >> run-intermediate_$side.conf; echo "TO=\"$to\"" >> run-intermediate_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate_$side.conf; echo "$global" >> run-intermediate_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate_$side.conf; echo "FROM=\"$from\"" >> run-intermediate_$side.conf; echo "TO=\"$to\"" >> run-intermediate_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate_$side.conf; echo "$global" >> run-intermediate_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate_$side.conf; chmod 0600 run-intermediate_left.conf; echo "cd /tmp\nput run-intermediate_left.conf test.conf" | sftp -q ot3; chmod 0600 run-intermediate_right.conf; echo "cd /tmp\nput run-intermediate_right.conf test.conf" | sftp -q ot4; rm -f run-intermediate_left.conf run-intermediate_right.conf sftp> cd /tmp sftp> put run-intermediate_left.conf test.conf sftp> cd /tmp sftp> put run-intermediate_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC 05:19:26.942352 (authentic,confidential): SPI 0x92eb4c38: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:19:26.942667 (authentic,confidential): SPI 0x49c518e3: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-fragmentation ==== flowtype=esp; fragmentation=true; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-fragmentation_$side.conf; echo "TMODE=\"$tmode\"" >> run-fragmentation_$side.conf; echo "FROM=\"$from\"" >> run-fragmentation_$side.conf; echo "TO=\"$to\"" >> run-fragmentation_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-fragmentation_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-fragmentation_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-fragmentation_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-fragmentation_$side.conf; echo "DSTID=\"$dstid\"" >> run-fragmentation_$side.conf; echo "AUTH=\"$authstr\"" >> run-fragmentation_$side.conf; echo "CONFIG=\"$confstr\"" >> run-fragmentation_$side.conf; echo "IKESA=\"$ikesa\"" >> run-fragmentation_$side.conf; echo "$global" >> run-fragmentation_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-fragmentation_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-fragmentation_$side.conf; echo "TMODE=\"$tmode\"" >> run-fragmentation_$side.conf; echo "FROM=\"$from\"" >> run-fragmentation_$side.conf; echo "TO=\"$to\"" >> run-fragmentation_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-fragmentation_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-fragmentation_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-fragmentation_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-fragmentation_$side.conf; echo "DSTID=\"$dstid\"" >> run-fragmentation_$side.conf; echo "AUTH=\"$authstr\"" >> run-fragmentation_$side.conf; echo "CONFIG=\"$confstr\"" >> run-fragmentation_$side.conf; echo "IKESA=\"$ikesa\"" >> run-fragmentation_$side.conf; echo "$global" >> run-fragmentation_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-fragmentation_$side.conf; chmod 0600 run-fragmentation_left.conf; echo "cd /tmp\nput run-fragmentation_left.conf test.conf" | sftp -q ot3; chmod 0600 run-fragmentation_right.conf; echo "cd /tmp\nput run-fragmentation_right.conf test.conf" | sftp -q ot4; rm -f run-fragmentation_left.conf run-fragmentation_right.conf sftp> cd /tmp sftp> put run-fragmentation_left.conf test.conf sftp> cd /tmp sftp> put run-fragmentation_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:19:39.942324 (authentic,confidential): SPI 0xf1efbc3b: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:19:39.942637 (authentic,confidential): SPI 0x058bfd93: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-transport ==== flowtype=esp; tmode=transport; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-transport_$side.conf; echo "TMODE=\"$tmode\"" >> run-transport_$side.conf; echo "FROM=\"$from\"" >> run-transport_$side.conf; echo "TO=\"$to\"" >> run-transport_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-transport_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-transport_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-transport_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-transport_$side.conf; echo "DSTID=\"$dstid\"" >> run-transport_$side.conf; echo "AUTH=\"$authstr\"" >> run-transport_$side.conf; echo "CONFIG=\"$confstr\"" >> run-transport_$side.conf; echo "IKESA=\"$ikesa\"" >> run-transport_$side.conf; echo "$global" >> run-transport_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-transport_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-transport_$side.conf; echo "TMODE=\"$tmode\"" >> run-transport_$side.conf; echo "FROM=\"$from\"" >> run-transport_$side.conf; echo "TO=\"$to\"" >> run-transport_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-transport_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-transport_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-transport_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-transport_$side.conf; echo "DSTID=\"$dstid\"" >> run-transport_$side.conf; echo "AUTH=\"$authstr\"" >> run-transport_$side.conf; echo "CONFIG=\"$confstr\"" >> run-transport_$side.conf; echo "IKESA=\"$ikesa\"" >> run-transport_$side.conf; echo "$global" >> run-transport_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-transport_$side.conf; chmod 0600 run-transport_left.conf; echo "cd /tmp\nput run-transport_left.conf test.conf" | sftp -q ot3; chmod 0600 run-transport_right.conf; echo "cd /tmp\nput run-transport_right.conf test.conf" | sftp -q ot4; rm -f run-transport_left.conf run-transport_right.conf sftp> cd /tmp sftp> put run-transport_left.conf test.conf sftp> cd /tmp sftp> put run-transport_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" tmode=transport; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:19:50.992405 (authentic,confidential): SPI 0xd6bf632e: 10.188.43.23 > 10.188.43.24: icmp: echo request 05:19:50.992706 (authentic,confidential): SPI 0x9826f29d: 10.188.43.24 > 10.188.43.23: icmp: echo reply ==== run-singleikesa ==== flowtype=esp; singleikesa=true; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-singleikesa_$side.conf; echo "TMODE=\"$tmode\"" >> run-singleikesa_$side.conf; echo "FROM=\"$from\"" >> run-singleikesa_$side.conf; echo "TO=\"$to\"" >> run-singleikesa_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-singleikesa_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-singleikesa_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-singleikesa_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-singleikesa_$side.conf; echo "DSTID=\"$dstid\"" >> run-singleikesa_$side.conf; echo "AUTH=\"$authstr\"" >> run-singleikesa_$side.conf; echo "CONFIG=\"$confstr\"" >> run-singleikesa_$side.conf; echo "IKESA=\"$ikesa\"" >> run-singleikesa_$side.conf; echo "$global" >> run-singleikesa_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-singleikesa_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-singleikesa_$side.conf; echo "TMODE=\"$tmode\"" >> run-singleikesa_$side.conf; echo "FROM=\"$from\"" >> run-singleikesa_$side.conf; echo "TO=\"$to\"" >> run-singleikesa_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-singleikesa_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-singleikesa_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-singleikesa_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-singleikesa_$side.conf; echo "DSTID=\"$dstid\"" >> run-singleikesa_$side.conf; echo "AUTH=\"$authstr\"" >> run-singleikesa_$side.conf; echo "CONFIG=\"$confstr\"" >> run-singleikesa_$side.conf; echo "IKESA=\"$ikesa\"" >> run-singleikesa_$side.conf; echo "$global" >> run-singleikesa_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-singleikesa_$side.conf; chmod 0600 run-singleikesa_left.conf; echo "cd /tmp\nput run-singleikesa_left.conf test.conf" | sftp -q ot3; chmod 0600 run-singleikesa_right.conf; echo "cd /tmp\nput run-singleikesa_right.conf test.conf" | sftp -q ot4; rm -f run-singleikesa_left.conf run-singleikesa_right.conf sftp> cd /tmp sftp> put run-singleikesa_left.conf test.conf sftp> cd /tmp sftp> put run-singleikesa_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" sleep 1; ssh ot4 "ikectl reload"; sleep 3; count=`ssh ot3 "ikectl show sa | grep -c iked_sas"`; if [[ "$count" != "1" ]]; then echo "error: too many IKE SAs."; exit 1; fi ==== run-ipcomp ==== flowtype=ipcomp; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-ipcomp_$side.conf; echo "TMODE=\"$tmode\"" >> run-ipcomp_$side.conf; echo "FROM=\"$from\"" >> run-ipcomp_$side.conf; echo "TO=\"$to\"" >> run-ipcomp_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-ipcomp_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-ipcomp_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-ipcomp_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-ipcomp_$side.conf; echo "DSTID=\"$dstid\"" >> run-ipcomp_$side.conf; echo "AUTH=\"$authstr\"" >> run-ipcomp_$side.conf; echo "CONFIG=\"$confstr\"" >> run-ipcomp_$side.conf; echo "IKESA=\"$ikesa\"" >> run-ipcomp_$side.conf; echo "$global" >> run-ipcomp_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-ipcomp_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-ipcomp_$side.conf; echo "TMODE=\"$tmode\"" >> run-ipcomp_$side.conf; echo "FROM=\"$from\"" >> run-ipcomp_$side.conf; echo "TO=\"$to\"" >> run-ipcomp_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-ipcomp_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-ipcomp_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-ipcomp_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-ipcomp_$side.conf; echo "DSTID=\"$dstid\"" >> run-ipcomp_$side.conf; echo "AUTH=\"$authstr\"" >> run-ipcomp_$side.conf; echo "CONFIG=\"$confstr\"" >> run-ipcomp_$side.conf; echo "IKESA=\"$ikesa\"" >> run-ipcomp_$side.conf; echo "$global" >> run-ipcomp_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-ipcomp_$side.conf; chmod 0600 run-ipcomp_left.conf; echo "cd /tmp\nput run-ipcomp_left.conf test.conf" | sftp -q ot3; chmod 0600 run-ipcomp_right.conf; echo "cd /tmp\nput run-ipcomp_right.conf test.conf" | sftp -q ot4; rm -f run-ipcomp_left.conf run-ipcomp_right.conf sftp> cd /tmp sftp> put run-ipcomp_left.conf test.conf sftp> cd /tmp sftp> put run-ipcomp_right.conf test.conf sysctl="net.inet.ipcomp.enable=1"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl" net.inet.ipcomp.enable: 0 -> 1 net.inet.ipcomp.enable: 0 -> 1 ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=ipcomp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:20:12.212344 (authentic,confidential): SPI 0x9e2aa135: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:20:12.212650 (authentic,confidential): SPI 0xe587bebe: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-udpencap-port ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-udpencap-port_$side.conf; echo "TMODE=\"$tmode\"" >> run-udpencap-port_$side.conf; echo "FROM=\"$from\"" >> run-udpencap-port_$side.conf; echo "TO=\"$to\"" >> run-udpencap-port_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-udpencap-port_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-udpencap-port_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-udpencap-port_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-udpencap-port_$side.conf; echo "DSTID=\"$dstid\"" >> run-udpencap-port_$side.conf; echo "AUTH=\"$authstr\"" >> run-udpencap-port_$side.conf; echo "CONFIG=\"$confstr\"" >> run-udpencap-port_$side.conf; echo "IKESA=\"$ikesa\"" >> run-udpencap-port_$side.conf; echo "$global" >> run-udpencap-port_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-udpencap-port_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-udpencap-port_$side.conf; echo "TMODE=\"$tmode\"" >> run-udpencap-port_$side.conf; echo "FROM=\"$from\"" >> run-udpencap-port_$side.conf; echo "TO=\"$to\"" >> run-udpencap-port_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-udpencap-port_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-udpencap-port_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-udpencap-port_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-udpencap-port_$side.conf; echo "DSTID=\"$dstid\"" >> run-udpencap-port_$side.conf; echo "AUTH=\"$authstr\"" >> run-udpencap-port_$side.conf; echo "CONFIG=\"$confstr\"" >> run-udpencap-port_$side.conf; echo "IKESA=\"$ikesa\"" >> run-udpencap-port_$side.conf; echo "$global" >> run-udpencap-port_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-udpencap-port_$side.conf; chmod 0600 run-udpencap-port_left.conf; echo "cd /tmp\nput run-udpencap-port_left.conf test.conf" | sftp -q ot3; chmod 0600 run-udpencap-port_right.conf; echo "cd /tmp\nput run-udpencap-port_right.conf test.conf" | sftp -q ot4; rm -f run-udpencap-port_left.conf run-udpencap-port_right.conf; sysctl="net.inet.esp.udpencap_port=9999"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl"; sftp> cd /tmp sftp> put run-udpencap-port_left.conf test.conf sftp> cd /tmp sftp> put run-udpencap-port_right.conf test.conf net.inet.esp.udpencap_port: 4500 -> 9999 net.inet.esp.udpencap_port: 4500 -> 9999 iked_flags=-p9999; ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 05:20:24.782446 (authentic,confidential): SPI 0xab70d040: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 05:20:24.782744 (authentic,confidential): SPI 0xaecf3bc4: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) sysctl="net.inet.esp.udpencap_port=4500"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl"; net.inet.esp.udpencap_port: 9999 -> 4500 net.inet.esp.udpencap_port: 9999 -> 4500 ==== cleanup ==== ssh ot3 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; sysctl "net.inet.esp.udpencap_port=4500"; rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;' net.inet.esp.udpencap_port: 4500 -> 4500 pf disabled ssh ot4 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; sysctl "net.inet.esp.udpencap_port=4500"; rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;' net.inet.esp.udpencap_port: 4500 -> 4500 pf disabled PASS sbin/iked/live Duration 4m21.99s