START sbin/iked/live 2024-11-09T16:29:52Z ==== setup ==== echo "cd /tmp\nput /usr/src/regress/sbin/iked/live/pf.in pf.conf" | sftp -q ot3 sftp> cd /tmp sftp> put /usr/src/regress/sbin/iked/live/pf.in pf.conf echo "cd /tmp\nput /usr/src/regress/sbin/iked/live/pf.in pf.conf" | sftp -q ot4 sftp> cd /tmp sftp> put /usr/src/regress/sbin/iked/live/pf.in pf.conf ssh ot3 "pfctl -f /tmp/pf.conf; pfctl -e" pf enabled ssh ot4 "pfctl -f /tmp/pf.conf; pfctl -e" pf enabled caname=ca-both; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus .............................. .................... e is 65537 (0x010001) caname=ca-right; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus ........................ ...................................... e is 65537 (0x010001) caname=ca-none; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus .... ......................................... e is 65537 (0x010001) caname=ca-none name=intermediate; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl genrsa -out $name-from-$caname.key 2048; openssl req -config $name-from-$caname.cnf -new -key $name-from-$caname.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions v3_intermediate_ca -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Generating RSA private key, 2048 bit long modulus .................................. .......................... e is 65537 (0x010001) Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=intermediate-from-ca-none openssl genrsa -out left.key 2048 Generating RSA private key, 2048 bit long modulus ..... ................. e is 65537 (0x010001) caname=ca-both; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both caname=ca-left; openssl genrsa -out $caname.key 2048; openssl req -subj "/C=DE/ST=Bavaria/L=Munich/O=iked/CN=$caname" -new -x509 -key $caname.key -out $caname.crt Generating RSA private key, 2048 bit long modulus .................................................................................... ... e is 65537 (0x010001) openssl genrsa -out right.key 2048 Generating RSA private key, 2048 bit long modulus ........................................................ ................................ e is 65537 (0x010001) caname=ca-both; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both caname=ca-left; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-left caname=ca-right; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-right caname=ca-none; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-none caname=ca-none; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-none caname=intermediate-from-ca-none; name=left; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-intermediate-from-ca-none caname=intermediate-from-ca-none; name=right; echo "ALTNAME = $name-from-$caname" > $name-from-$caname.cnf; cat /usr/src/regress/sbin/iked/live/crt.in >> $name-from-$caname.cnf; openssl req -config $name-from-$caname.cnf -new -key $name.key -nodes -out $name-from-$caname.csr; openssl x509 -extfile $name-from-$caname.cnf -extensions req_cert_extensions -req -in $name-from-$caname.csr -CA $caname.crt -CAkey $caname.key -CAcreateserial -out $name-from-$caname.crt Signature ok subject=/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-intermediate-from-ca-none echo "cd /etc/iked\n put left-from-ca-both.crt certs\n put left-from-ca-right.crt certs\n put left-from-ca-none.crt certs\n put left-from-intermediate-from-ca-none.crt certs\n put right-from-ca-none.crt certs\n put left.key private/local.key\n put intermediate-from-ca-none.crt ca\n put ca-left.crt ca\n put ca-both.crt ca\n" | sftp ot3 -q; echo "cd /etc/iked\n put right-from-ca-both.crt certs\n put right-from-ca-left.crt certs\n put right-from-ca-none.crt certs\n put right-from-intermediate-from-ca-none.crt certs\n put left-from-ca-none.crt certs\n put right.key private/local.key\n put intermediate-from-ca-none.crt ca\n put ca-right.crt ca\n put ca-both.crt ca\n" | sftp ot4 -q; ssh ot3 "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub"; ssh ot4 "openssl rsa -in /etc/iked/private/local.key -pubout > /etc/iked/local.pub" Connected to ot3. sftp> cd /etc/iked sftp> put left-from-ca-both.crt certs Uploading left-from-ca-both.crt to /etc/iked/certs/left-from-ca-both.crt sftp> put left-from-ca-right.crt certs Uploading left-from-ca-right.crt to /etc/iked/certs/left-from-ca-right.crt sftp> put left-from-ca-none.crt certs Uploading left-from-ca-none.crt to /etc/iked/certs/left-from-ca-none.crt sftp> put left-from-intermediate-from-ca-none.crt certs Uploading left-from-intermediate-from-ca-none.crt to /etc/iked/certs/left-from-intermediate-from-ca-none.crt sftp> put right-from-ca-none.crt certs Uploading right-from-ca-none.crt to /etc/iked/certs/right-from-ca-none.crt sftp> put left.key private/local.key Uploading left.key to /etc/iked/private/local.key sftp> put intermediate-from-ca-none.crt ca Uploading intermediate-from-ca-none.crt to /etc/iked/ca/intermediate-from-ca-none.crt sftp> put ca-left.crt ca Uploading ca-left.crt to /etc/iked/ca/ca-left.crt sftp> put ca-both.crt ca Uploading ca-both.crt to /etc/iked/ca/ca-both.crt sftp> Connected to ot4. sftp> cd /etc/iked sftp> put right-from-ca-both.crt certs Uploading right-from-ca-both.crt to /etc/iked/certs/right-from-ca-both.crt sftp> put right-from-ca-left.crt certs Uploading right-from-ca-left.crt to /etc/iked/certs/right-from-ca-left.crt sftp> put right-from-ca-none.crt certs Uploading right-from-ca-none.crt to /etc/iked/certs/right-from-ca-none.crt sftp> put right-from-intermediate-from-ca-none.crt certs Uploading right-from-intermediate-from-ca-none.crt to /etc/iked/certs/right-from-intermediate-from-ca-none.crt sftp> put left-from-ca-none.crt certs Uploading left-from-ca-none.crt to /etc/iked/certs/left-from-ca-none.crt sftp> put right.key private/local.key Uploading right.key to /etc/iked/private/local.key sftp> put intermediate-from-ca-none.crt ca Uploading intermediate-from-ca-none.crt to /etc/iked/ca/intermediate-from-ca-none.crt sftp> put ca-right.crt ca Uploading ca-right.crt to /etc/iked/ca/ca-right.crt sftp> put ca-both.crt ca Uploading ca-both.crt to /etc/iked/ca/ca-both.crt sftp> writing RSA key writing RSA key ==== run-ping-fail ==== ssh ot3 "ipsecctl -F; pkill iked || true" ssh ot4 "ipsecctl -F; pkill iked || true" _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-cert-single-ca ==== leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca_$side.conf; echo "$global" >> run-cert-single-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca_$side.conf; echo "$global" >> run-cert-single-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca_$side.conf; chmod 0600 run-cert-single-ca_left.conf; echo "cd /tmp\nput run-cert-single-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-single-ca_right.conf; echo "cd /tmp\nput run-cert-single-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-single-ca_left.conf run-cert-single-ca_right.conf sftp> cd /tmp sftp> put run-cert-single-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-single-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:30:16.166746 (authentic,confidential): SPI 0x215484e7: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:30:16.172409 (authentic,confidential): SPI 0xce35a748: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-single-ca-asn1dn ==== leftid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=left-from-ca-both"; rightid="/C=DE/ST=Bavaria/L=Munich/O=iked/CN=right-from-ca-both"; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "$global" >> run-cert-single-ca-asn1dn_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca-asn1dn_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "FROM=\"$from\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "TO=\"$to\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-single-ca-asn1dn_$side.conf; echo "$global" >> run-cert-single-ca-asn1dn_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-single-ca-asn1dn_$side.conf; chmod 0600 run-cert-single-ca-asn1dn_left.conf; echo "cd /tmp\nput run-cert-single-ca-asn1dn_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-single-ca-asn1dn_right.conf; echo "cd /tmp\nput run-cert-single-ca-asn1dn_right.conf test.conf" | sftp -q ot4; rm -f run-cert-single-ca-asn1dn_left.conf run-cert-single-ca-asn1dn_right.conf sftp> cd /tmp sftp> put run-cert-single-ca-asn1dn_left.conf test.conf sftp> cd /tmp sftp> put run-cert-single-ca-asn1dn_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:30:25.606778 (authentic,confidential): SPI 0x18222240: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:30:25.607193 (authentic,confidential): SPI 0x01f889b2: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-no-ca ==== leftid=left-from-ca-none; rightid=right-from-ca-none; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-no-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-no-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-no-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-no-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-no-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-no-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-no-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-no-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-no-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-no-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-no-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-no-ca_$side.conf; echo "$global" >> run-cert-no-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-no-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-no-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-no-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-no-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-no-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-no-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-no-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-no-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-no-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-no-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-no-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-no-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-no-ca_$side.conf; echo "$global" >> run-cert-no-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-no-ca_$side.conf; chmod 0600 run-cert-no-ca_left.conf; echo "cd /tmp\nput run-cert-no-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-no-ca_right.conf; echo "cd /tmp\nput run-cert-no-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-no-ca_left.conf run-cert-no-ca_right.conf sftp> cd /tmp sftp> put run-cert-no-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-no-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:30:34.966872 (authentic,confidential): SPI 0xfaed946e: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:30:34.974725 (authentic,confidential): SPI 0x396cc024: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-config-address ==== flowtype=esp; config_address=172.16.13.36; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address_$side.conf; echo "FROM=\"$from\"" >> run-config-address_$side.conf; echo "TO=\"$to\"" >> run-config-address_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address_$side.conf; echo "$global" >> run-config-address_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address_$side.conf; echo "FROM=\"$from\"" >> run-config-address_$side.conf; echo "TO=\"$to\"" >> run-config-address_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address_$side.conf; echo "$global" >> run-config-address_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address_$side.conf; chmod 0600 run-config-address_left.conf; echo "cd /tmp\nput run-config-address_left.conf test.conf" | sftp -q ot3; chmod 0600 run-config-address_right.conf; echo "cd /tmp\nput run-config-address_right.conf test.conf" | sftp -q ot4; rm -f run-config-address_left.conf run-config-address_right.conf sftp> cd /tmp sftp> put run-config-address_left.conf test.conf sftp> cd /tmp sftp> put run-config-address_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" config_address=172.16.13.36; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi ==== run-config-address-pool ==== flowtype=esp; config_address=172.16.13.36/31; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address-pool_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address-pool_$side.conf; echo "FROM=\"$from\"" >> run-config-address-pool_$side.conf; echo "TO=\"$to\"" >> run-config-address-pool_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address-pool_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address-pool_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address-pool_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address-pool_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address-pool_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address-pool_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address-pool_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address-pool_$side.conf; echo "$global" >> run-config-address-pool_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address-pool_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-config-address-pool_$side.conf; echo "TMODE=\"$tmode\"" >> run-config-address-pool_$side.conf; echo "FROM=\"$from\"" >> run-config-address-pool_$side.conf; echo "TO=\"$to\"" >> run-config-address-pool_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-config-address-pool_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-config-address-pool_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-config-address-pool_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-config-address-pool_$side.conf; echo "DSTID=\"$dstid\"" >> run-config-address-pool_$side.conf; echo "AUTH=\"$authstr\"" >> run-config-address-pool_$side.conf; echo "CONFIG=\"$confstr\"" >> run-config-address-pool_$side.conf; echo "IKESA=\"$ikesa\"" >> run-config-address-pool_$side.conf; echo "$global" >> run-config-address-pool_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-config-address-pool_$side.conf; chmod 0600 run-config-address-pool_left.conf; echo "cd /tmp\nput run-config-address-pool_left.conf test.conf" | sftp -q ot3; chmod 0600 run-config-address-pool_right.conf; echo "cd /tmp\nput run-config-address-pool_right.conf test.conf" | sftp -q ot4; rm -f run-config-address-pool_left.conf run-config-address-pool_right.conf sftp> cd /tmp sftp> put run-config-address-pool_left.conf test.conf sftp> cd /tmp sftp> put run-config-address-pool_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" config_address=172.16.13.36/31; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi ==== run-dstid-fail ==== leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-fail_$side.conf; echo "FROM=\"$from\"" >> run-dstid-fail_$side.conf; echo "TO=\"$to\"" >> run-dstid-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-fail_$side.conf; echo "$global" >> run-dstid-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-fail_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid invalid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-fail_$side.conf; echo "FROM=\"$from\"" >> run-dstid-fail_$side.conf; echo "TO=\"$to\"" >> run-dstid-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-fail_$side.conf; echo "$global" >> run-dstid-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-fail_$side.conf; chmod 0600 run-dstid-fail_left.conf; echo "cd /tmp\nput run-dstid-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid-fail_right.conf; echo "cd /tmp\nput run-dstid-fail_right.conf test.conf" | sftp -q ot4; rm -f run-dstid-fail_left.conf run-dstid-fail_right.conf sftp> cd /tmp sftp> put run-dstid-fail_left.conf test.conf sftp> cd /tmp sftp> put run-dstid-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-dstid ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid_$side.conf; echo "FROM=\"$from\"" >> run-dstid_$side.conf; echo "TO=\"$to\"" >> run-dstid_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid_$side.conf; echo "$global" >> run-dstid_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid_$side.conf; echo "FROM=\"$from\"" >> run-dstid_$side.conf; echo "TO=\"$to\"" >> run-dstid_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid_$side.conf; echo "$global" >> run-dstid_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid_$side.conf; chmod 0600 run-dstid_left.conf; echo "cd /tmp\nput run-dstid_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid_right.conf; echo "cd /tmp\nput run-dstid_right.conf test.conf" | sftp -q ot4; rm -f run-dstid_left.conf run-dstid_right.conf sftp> cd /tmp sftp> put run-dstid_left.conf test.conf sftp> cd /tmp sftp> put run-dstid_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:31:09.866743 (authentic,confidential): SPI 0xb1479d03: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:31:09.867123 (authentic,confidential): SPI 0x24cbcd57: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-dstid-multi ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; dstid="dstid roflol"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-dstid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-dstid-multi_$side.conf; echo "FROM=\"$from\"" >> run-dstid-multi_$side.conf; echo "TO=\"$to\"" >> run-dstid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-dstid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-dstid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-dstid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-dstid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-dstid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-dstid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-dstid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-dstid-multi_$side.conf; echo "$global" >> run-dstid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-dstid-multi_$side.conf; chmod 0600 run-dstid-multi_left.conf; echo "cd /tmp\nput run-dstid-multi_left.conf test.conf" | sftp -q ot3; chmod 0600 run-dstid-multi_right.conf; echo "cd /tmp\nput run-dstid-multi_right.conf test.conf" | sftp -q ot4; rm -f run-dstid-multi_left.conf run-dstid-multi_right.conf sftp> cd /tmp sftp> put run-dstid-multi_left.conf test.conf sftp> cd /tmp sftp> put run-dstid-multi_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:31:19.236751 (authentic,confidential): SPI 0x6cbac52b: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:31:19.237127 (authentic,confidential): SPI 0xf36b7657: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-srcid-multi ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; side=right; mode=passive; srcid="borked"; local=10.188.43.24; peer=10.188.43.23; dstid=""; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; srcid=$rightid; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; srcid="roflol"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-srcid-multi_$side.conf; echo "TMODE=\"$tmode\"" >> run-srcid-multi_$side.conf; echo "FROM=\"$from\"" >> run-srcid-multi_$side.conf; echo "TO=\"$to\"" >> run-srcid-multi_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-srcid-multi_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-srcid-multi_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-srcid-multi_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-srcid-multi_$side.conf; echo "DSTID=\"$dstid\"" >> run-srcid-multi_$side.conf; echo "AUTH=\"$authstr\"" >> run-srcid-multi_$side.conf; echo "CONFIG=\"$confstr\"" >> run-srcid-multi_$side.conf; echo "IKESA=\"$ikesa\"" >> run-srcid-multi_$side.conf; echo "$global" >> run-srcid-multi_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-srcid-multi_$side.conf; chmod 0600 run-srcid-multi_left.conf; echo "cd /tmp\nput run-srcid-multi_left.conf test.conf" | sftp -q ot3; chmod 0600 run-srcid-multi_right.conf; echo "cd /tmp\nput run-srcid-multi_right.conf test.conf" | sftp -q ot4; rm -f run-srcid-multi_left.conf run-srcid-multi_right.conf sftp> cd /tmp sftp> put run-srcid-multi_left.conf test.conf sftp> cd /tmp sftp> put run-srcid-multi_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:31:28.606864 (authentic,confidential): SPI 0x72f59f10: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:31:28.618879 (authentic,confidential): SPI 0xb96bc775: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-multi-ca ==== flowtype=esp; leftid=left-from-ca-right; rightid=right-from-ca-left; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-multi-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-multi-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-multi-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-multi-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-multi-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-multi-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-multi-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-multi-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-multi-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-multi-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-multi-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-multi-ca_$side.conf; echo "$global" >> run-cert-multi-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-multi-ca_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-multi-ca_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-multi-ca_$side.conf; echo "FROM=\"$from\"" >> run-cert-multi-ca_$side.conf; echo "TO=\"$to\"" >> run-cert-multi-ca_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-multi-ca_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-multi-ca_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-multi-ca_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-multi-ca_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-multi-ca_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-multi-ca_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-multi-ca_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-multi-ca_$side.conf; echo "$global" >> run-cert-multi-ca_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-multi-ca_$side.conf; chmod 0600 run-cert-multi-ca_left.conf; echo "cd /tmp\nput run-cert-multi-ca_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-multi-ca_right.conf; echo "cd /tmp\nput run-cert-multi-ca_right.conf test.conf" | sftp -q ot4; rm -f run-cert-multi-ca_left.conf run-cert-multi-ca_right.conf sftp> cd /tmp sftp> put run-cert-multi-ca_left.conf test.conf sftp> cd /tmp sftp> put run-cert-multi-ca_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:31:37.816823 (authentic,confidential): SPI 0xd9dd4702: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:31:37.817316 (authentic,confidential): SPI 0xa7fd3acc: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-cert-second-altname ==== flowtype=esp; leftid=left-from-ca-both-alternative; rightid=right-from-ca-both@openbsd.org; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-second-altname_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-second-altname_$side.conf; echo "FROM=\"$from\"" >> run-cert-second-altname_$side.conf; echo "TO=\"$to\"" >> run-cert-second-altname_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-second-altname_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-second-altname_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-second-altname_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-second-altname_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-second-altname_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-second-altname_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-second-altname_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-second-altname_$side.conf; echo "$global" >> run-cert-second-altname_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-second-altname_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-cert-second-altname_$side.conf; echo "TMODE=\"$tmode\"" >> run-cert-second-altname_$side.conf; echo "FROM=\"$from\"" >> run-cert-second-altname_$side.conf; echo "TO=\"$to\"" >> run-cert-second-altname_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-cert-second-altname_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-cert-second-altname_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-cert-second-altname_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-cert-second-altname_$side.conf; echo "DSTID=\"$dstid\"" >> run-cert-second-altname_$side.conf; echo "AUTH=\"$authstr\"" >> run-cert-second-altname_$side.conf; echo "CONFIG=\"$confstr\"" >> run-cert-second-altname_$side.conf; echo "IKESA=\"$ikesa\"" >> run-cert-second-altname_$side.conf; echo "$global" >> run-cert-second-altname_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-cert-second-altname_$side.conf; chmod 0600 run-cert-second-altname_left.conf; echo "cd /tmp\nput run-cert-second-altname_left.conf test.conf" | sftp -q ot3; chmod 0600 run-cert-second-altname_right.conf; echo "cd /tmp\nput run-cert-second-altname_right.conf test.conf" | sftp -q ot4; rm -f run-cert-second-altname_left.conf run-cert-second-altname_right.conf sftp> cd /tmp sftp> put run-cert-second-altname_left.conf test.conf sftp> cd /tmp sftp> put run-cert-second-altname_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:31:46.966745 (authentic,confidential): SPI 0xd16a5a3e: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:31:46.967523 (authentic,confidential): SPI 0x3ec9582e: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-invalid-ke ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; ikesa="ikesa group ecp256 group curve25519"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-invalid-ke_$side.conf; echo "TMODE=\"$tmode\"" >> run-invalid-ke_$side.conf; echo "FROM=\"$from\"" >> run-invalid-ke_$side.conf; echo "TO=\"$to\"" >> run-invalid-ke_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-invalid-ke_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-invalid-ke_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-invalid-ke_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-invalid-ke_$side.conf; echo "DSTID=\"$dstid\"" >> run-invalid-ke_$side.conf; echo "AUTH=\"$authstr\"" >> run-invalid-ke_$side.conf; echo "CONFIG=\"$confstr\"" >> run-invalid-ke_$side.conf; echo "IKESA=\"$ikesa\"" >> run-invalid-ke_$side.conf; echo "$global" >> run-invalid-ke_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-invalid-ke_$side.conf; side=right; mode=passive; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; ikesa="ikesa group curve25519"; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-invalid-ke_$side.conf; echo "TMODE=\"$tmode\"" >> run-invalid-ke_$side.conf; echo "FROM=\"$from\"" >> run-invalid-ke_$side.conf; echo "TO=\"$to\"" >> run-invalid-ke_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-invalid-ke_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-invalid-ke_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-invalid-ke_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-invalid-ke_$side.conf; echo "DSTID=\"$dstid\"" >> run-invalid-ke_$side.conf; echo "AUTH=\"$authstr\"" >> run-invalid-ke_$side.conf; echo "CONFIG=\"$confstr\"" >> run-invalid-ke_$side.conf; echo "IKESA=\"$ikesa\"" >> run-invalid-ke_$side.conf; echo "$global" >> run-invalid-ke_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-invalid-ke_$side.conf; chmod 0600 run-invalid-ke_left.conf; echo "cd /tmp\nput run-invalid-ke_left.conf test.conf" | sftp -q ot3; chmod 0600 run-invalid-ke_right.conf; echo "cd /tmp\nput run-invalid-ke_right.conf test.conf" | sftp -q ot4; rm -f run-invalid-ke_left.conf run-invalid-ke_right.conf sftp> cd /tmp sftp> put run-invalid-ke_left.conf test.conf sftp> cd /tmp sftp> put run-invalid-ke_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; maxwait=6; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:31:59.256798 (authentic,confidential): SPI 0x0c2b56b7: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:31:59.257443 (authentic,confidential): SPI 0x8e2682e1: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-psk-fail ==== auth=psk; leftid=left-from-ca-both; rightid=right-from-ca-both; flowtype=esp; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; dstid="dstid $rightid"; psk=`openssl rand -hex 20`; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk-fail_$side.conf; echo "FROM=\"$from\"" >> run-psk-fail_$side.conf; echo "TO=\"$to\"" >> run-psk-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk-fail_$side.conf; echo "$global" >> run-psk-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk-fail_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; dstid="dstid $leftid"; psk=`openssl rand -hex 20`; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk-fail_$side.conf; echo "FROM=\"$from\"" >> run-psk-fail_$side.conf; echo "TO=\"$to\"" >> run-psk-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk-fail_$side.conf; echo "$global" >> run-psk-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk-fail_$side.conf; chmod 0600 run-psk-fail_left.conf; echo "cd /tmp\nput run-psk-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-psk-fail_right.conf; echo "cd /tmp\nput run-psk-fail_right.conf test.conf" | sftp -q ot4; rm -f run-psk-fail_left.conf run-psk-fail_right.conf sftp> cd /tmp sftp> put run-psk-fail_left.conf test.conf sftp> cd /tmp sftp> put run-psk-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-psk ==== auth=psk; leftid=left; rightid=right; flowtype=esp; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk_$side.conf; echo "FROM=\"$from\"" >> run-psk_$side.conf; echo "TO=\"$to\"" >> run-psk_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk_$side.conf; echo "$global" >> run-psk_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-psk_$side.conf; echo "TMODE=\"$tmode\"" >> run-psk_$side.conf; echo "FROM=\"$from\"" >> run-psk_$side.conf; echo "TO=\"$to\"" >> run-psk_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-psk_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-psk_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-psk_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-psk_$side.conf; echo "DSTID=\"$dstid\"" >> run-psk_$side.conf; echo "AUTH=\"$authstr\"" >> run-psk_$side.conf; echo "CONFIG=\"$confstr\"" >> run-psk_$side.conf; echo "IKESA=\"$ikesa\"" >> run-psk_$side.conf; echo "$global" >> run-psk_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-psk_$side.conf; chmod 0600 run-psk_left.conf; echo "cd /tmp\nput run-psk_left.conf test.conf" | sftp -q ot3; chmod 0600 run-psk_right.conf; echo "cd /tmp\nput run-psk_right.conf test.conf" | sftp -q ot4; rm -f run-psk_left.conf run-psk_right.conf sftp> cd /tmp sftp> put run-psk_left.conf test.conf sftp> cd /tmp sftp> put run-psk_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:32:21.358537 (authentic,confidential): SPI 0x9718ea4a: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) 17:32:22.356769 (authentic,confidential): SPI 0x2313888a: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) ==== run-intermediate-fail ==== leftid=left-from-intermediate-from-ca-none; rightid=right-from-intermediate-from-ca-none; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate-fail_$side.conf; echo "FROM=\"$from\"" >> run-intermediate-fail_$side.conf; echo "TO=\"$to\"" >> run-intermediate-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate-fail_$side.conf; echo "$global" >> run-intermediate-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate-fail_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate-fail_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate-fail_$side.conf; echo "FROM=\"$from\"" >> run-intermediate-fail_$side.conf; echo "TO=\"$to\"" >> run-intermediate-fail_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate-fail_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate-fail_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate-fail_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate-fail_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate-fail_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate-fail_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate-fail_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate-fail_$side.conf; echo "$global" >> run-intermediate-fail_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate-fail_$side.conf; chmod 0600 run-intermediate-fail_left.conf; echo "cd /tmp\nput run-intermediate-fail_left.conf test.conf" | sftp -q ot3; chmod 0600 run-intermediate-fail_right.conf; echo "cd /tmp\nput run-intermediate-fail_right.conf test.conf" | sftp -q ot4; rm -f run-intermediate-fail_left.conf run-intermediate-fail_right.conf sftp> cd /tmp sftp> put run-intermediate-fail_left.conf test.conf sftp> cd /tmp sftp> put run-intermediate-fail_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 1 ]]; then exit 1; fi SAs not found: FLOWS: No flows SAD: FLOWS: No flows SAD: No entries _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 1 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ping: sendmsg: Permission denied ==== run-intermediate ==== intermediate=true; leftid=left-from-intermediate-from-ca-none; rightid=right-from-intermediate-from-ca-none; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate_$side.conf; echo "FROM=\"$from\"" >> run-intermediate_$side.conf; echo "TO=\"$to\"" >> run-intermediate_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate_$side.conf; echo "$global" >> run-intermediate_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-intermediate_$side.conf; echo "TMODE=\"$tmode\"" >> run-intermediate_$side.conf; echo "FROM=\"$from\"" >> run-intermediate_$side.conf; echo "TO=\"$to\"" >> run-intermediate_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-intermediate_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-intermediate_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-intermediate_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-intermediate_$side.conf; echo "DSTID=\"$dstid\"" >> run-intermediate_$side.conf; echo "AUTH=\"$authstr\"" >> run-intermediate_$side.conf; echo "CONFIG=\"$confstr\"" >> run-intermediate_$side.conf; echo "IKESA=\"$ikesa\"" >> run-intermediate_$side.conf; echo "$global" >> run-intermediate_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-intermediate_$side.conf; chmod 0600 run-intermediate_left.conf; echo "cd /tmp\nput run-intermediate_left.conf test.conf" | sftp -q ot3; chmod 0600 run-intermediate_right.conf; echo "cd /tmp\nput run-intermediate_right.conf test.conf" | sftp -q ot4; rm -f run-intermediate_left.conf run-intermediate_right.conf sftp> cd /tmp sftp> put run-intermediate_left.conf test.conf sftp> cd /tmp sftp> put run-intermediate_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi ping: sendmsg: Permission denied tcpdump: listening on enc0, link-type ENC 17:32:42.956758 (authentic,confidential): SPI 0x3b2b5b54: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:32:42.957490 (authentic,confidential): SPI 0x752ffe49: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-fragmentation ==== flowtype=esp; fragmentation=true; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-fragmentation_$side.conf; echo "TMODE=\"$tmode\"" >> run-fragmentation_$side.conf; echo "FROM=\"$from\"" >> run-fragmentation_$side.conf; echo "TO=\"$to\"" >> run-fragmentation_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-fragmentation_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-fragmentation_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-fragmentation_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-fragmentation_$side.conf; echo "DSTID=\"$dstid\"" >> run-fragmentation_$side.conf; echo "AUTH=\"$authstr\"" >> run-fragmentation_$side.conf; echo "CONFIG=\"$confstr\"" >> run-fragmentation_$side.conf; echo "IKESA=\"$ikesa\"" >> run-fragmentation_$side.conf; echo "$global" >> run-fragmentation_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-fragmentation_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-fragmentation_$side.conf; echo "TMODE=\"$tmode\"" >> run-fragmentation_$side.conf; echo "FROM=\"$from\"" >> run-fragmentation_$side.conf; echo "TO=\"$to\"" >> run-fragmentation_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-fragmentation_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-fragmentation_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-fragmentation_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-fragmentation_$side.conf; echo "DSTID=\"$dstid\"" >> run-fragmentation_$side.conf; echo "AUTH=\"$authstr\"" >> run-fragmentation_$side.conf; echo "CONFIG=\"$confstr\"" >> run-fragmentation_$side.conf; echo "IKESA=\"$ikesa\"" >> run-fragmentation_$side.conf; echo "$global" >> run-fragmentation_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-fragmentation_$side.conf; chmod 0600 run-fragmentation_left.conf; echo "cd /tmp\nput run-fragmentation_left.conf test.conf" | sftp -q ot3; chmod 0600 run-fragmentation_right.conf; echo "cd /tmp\nput run-fragmentation_right.conf test.conf" | sftp -q ot4; rm -f run-fragmentation_left.conf run-fragmentation_right.conf sftp> cd /tmp sftp> put run-fragmentation_left.conf test.conf sftp> cd /tmp sftp> put run-fragmentation_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:32:54.236746 (authentic,confidential): SPI 0xcd675efa: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:32:54.237445 (authentic,confidential): SPI 0x68e2dacd: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-transport ==== flowtype=esp; tmode=transport; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-transport_$side.conf; echo "TMODE=\"$tmode\"" >> run-transport_$side.conf; echo "FROM=\"$from\"" >> run-transport_$side.conf; echo "TO=\"$to\"" >> run-transport_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-transport_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-transport_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-transport_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-transport_$side.conf; echo "DSTID=\"$dstid\"" >> run-transport_$side.conf; echo "AUTH=\"$authstr\"" >> run-transport_$side.conf; echo "CONFIG=\"$confstr\"" >> run-transport_$side.conf; echo "IKESA=\"$ikesa\"" >> run-transport_$side.conf; echo "$global" >> run-transport_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-transport_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-transport_$side.conf; echo "TMODE=\"$tmode\"" >> run-transport_$side.conf; echo "FROM=\"$from\"" >> run-transport_$side.conf; echo "TO=\"$to\"" >> run-transport_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-transport_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-transport_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-transport_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-transport_$side.conf; echo "DSTID=\"$dstid\"" >> run-transport_$side.conf; echo "AUTH=\"$authstr\"" >> run-transport_$side.conf; echo "CONFIG=\"$confstr\"" >> run-transport_$side.conf; echo "IKESA=\"$ikesa\"" >> run-transport_$side.conf; echo "$global" >> run-transport_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-transport_$side.conf; chmod 0600 run-transport_left.conf; echo "cd /tmp\nput run-transport_left.conf test.conf" | sftp -q ot3; chmod 0600 run-transport_right.conf; echo "cd /tmp\nput run-transport_right.conf test.conf" | sftp -q ot4; rm -f run-transport_left.conf run-transport_right.conf sftp> cd /tmp sftp> put run-transport_left.conf test.conf sftp> cd /tmp sftp> put run-transport_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" tmode=transport; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:33:03.556773 (authentic,confidential): SPI 0xfa303ea3: 10.188.43.23 > 10.188.43.24: icmp: echo request 17:33:03.561365 (authentic,confidential): SPI 0xd9f811a9: 10.188.43.24 > 10.188.43.23: icmp: echo reply ==== run-singleikesa ==== flowtype=esp; singleikesa=true; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-singleikesa_$side.conf; echo "TMODE=\"$tmode\"" >> run-singleikesa_$side.conf; echo "FROM=\"$from\"" >> run-singleikesa_$side.conf; echo "TO=\"$to\"" >> run-singleikesa_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-singleikesa_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-singleikesa_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-singleikesa_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-singleikesa_$side.conf; echo "DSTID=\"$dstid\"" >> run-singleikesa_$side.conf; echo "AUTH=\"$authstr\"" >> run-singleikesa_$side.conf; echo "CONFIG=\"$confstr\"" >> run-singleikesa_$side.conf; echo "IKESA=\"$ikesa\"" >> run-singleikesa_$side.conf; echo "$global" >> run-singleikesa_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-singleikesa_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-singleikesa_$side.conf; echo "TMODE=\"$tmode\"" >> run-singleikesa_$side.conf; echo "FROM=\"$from\"" >> run-singleikesa_$side.conf; echo "TO=\"$to\"" >> run-singleikesa_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-singleikesa_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-singleikesa_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-singleikesa_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-singleikesa_$side.conf; echo "DSTID=\"$dstid\"" >> run-singleikesa_$side.conf; echo "AUTH=\"$authstr\"" >> run-singleikesa_$side.conf; echo "CONFIG=\"$confstr\"" >> run-singleikesa_$side.conf; echo "IKESA=\"$ikesa\"" >> run-singleikesa_$side.conf; echo "$global" >> run-singleikesa_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-singleikesa_$side.conf; chmod 0600 run-singleikesa_left.conf; echo "cd /tmp\nput run-singleikesa_left.conf test.conf" | sftp -q ot3; chmod 0600 run-singleikesa_right.conf; echo "cd /tmp\nput run-singleikesa_right.conf test.conf" | sftp -q ot4; rm -f run-singleikesa_left.conf run-singleikesa_right.conf sftp> cd /tmp sftp> put run-singleikesa_left.conf test.conf sftp> cd /tmp sftp> put run-singleikesa_right.conf test.conf ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" sleep 1; ssh ot4 "ikectl reload"; sleep 3; count=`ssh ot3 "ikectl show sa | grep -c iked_sas"`; if [[ "$count" != "1" ]]; then echo "error: too many IKE SAs."; exit 1; fi ==== run-ipcomp ==== flowtype=ipcomp; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-ipcomp_$side.conf; echo "TMODE=\"$tmode\"" >> run-ipcomp_$side.conf; echo "FROM=\"$from\"" >> run-ipcomp_$side.conf; echo "TO=\"$to\"" >> run-ipcomp_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-ipcomp_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-ipcomp_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-ipcomp_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-ipcomp_$side.conf; echo "DSTID=\"$dstid\"" >> run-ipcomp_$side.conf; echo "AUTH=\"$authstr\"" >> run-ipcomp_$side.conf; echo "CONFIG=\"$confstr\"" >> run-ipcomp_$side.conf; echo "IKESA=\"$ikesa\"" >> run-ipcomp_$side.conf; echo "$global" >> run-ipcomp_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-ipcomp_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-ipcomp_$side.conf; echo "TMODE=\"$tmode\"" >> run-ipcomp_$side.conf; echo "FROM=\"$from\"" >> run-ipcomp_$side.conf; echo "TO=\"$to\"" >> run-ipcomp_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-ipcomp_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-ipcomp_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-ipcomp_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-ipcomp_$side.conf; echo "DSTID=\"$dstid\"" >> run-ipcomp_$side.conf; echo "AUTH=\"$authstr\"" >> run-ipcomp_$side.conf; echo "CONFIG=\"$confstr\"" >> run-ipcomp_$side.conf; echo "IKESA=\"$ikesa\"" >> run-ipcomp_$side.conf; echo "$global" >> run-ipcomp_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-ipcomp_$side.conf; chmod 0600 run-ipcomp_left.conf; echo "cd /tmp\nput run-ipcomp_left.conf test.conf" | sftp -q ot3; chmod 0600 run-ipcomp_right.conf; echo "cd /tmp\nput run-ipcomp_right.conf test.conf" | sftp -q ot4; rm -f run-ipcomp_left.conf run-ipcomp_right.conf sftp> cd /tmp sftp> put run-ipcomp_left.conf test.conf sftp> cd /tmp sftp> put run-ipcomp_right.conf test.conf sysctl="net.inet.ipcomp.enable=1"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl" net.inet.ipcomp.enable: 0 -> 1 net.inet.ipcomp.enable: 0 -> 1 ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf" flowtype=ipcomp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:33:21.356747 (authentic,confidential): SPI 0x2dbf0a56: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:33:21.357578 (authentic,confidential): SPI 0x07627b2b: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) ==== run-udpencap-port ==== flowtype=esp; leftid=left-from-ca-both; rightid=right-from-ca-both; if [[ "$auth" = "psk" ]]; then psk=`openssl rand -hex 20`; fi; side=left; srcid=$leftid; local=10.188.43.23; peer=10.188.43.24; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-udpencap-port_$side.conf; echo "TMODE=\"$tmode\"" >> run-udpencap-port_$side.conf; echo "FROM=\"$from\"" >> run-udpencap-port_$side.conf; echo "TO=\"$to\"" >> run-udpencap-port_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-udpencap-port_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-udpencap-port_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-udpencap-port_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-udpencap-port_$side.conf; echo "DSTID=\"$dstid\"" >> run-udpencap-port_$side.conf; echo "AUTH=\"$authstr\"" >> run-udpencap-port_$side.conf; echo "CONFIG=\"$confstr\"" >> run-udpencap-port_$side.conf; echo "IKESA=\"$ikesa\"" >> run-udpencap-port_$side.conf; echo "$global" >> run-udpencap-port_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-udpencap-port_$side.conf; side=right; srcid=$rightid; local=10.188.43.24; peer=10.188.43.23; from=$local; to=$peer; if [[ -z "$mode" ]]; then mode="active"; fi; authstr=""; if [[ "$auth" = "psk" ]]; then authstr="psk $psk"; fi; ipcomp=""; if [[ "$flowtype" = "ipcomp" ]]; then ipcomp="ipcomp"; fi; global=""; if [ "$fragmentation" = true ]; then global="${global}set fragmentation\n"; fi; if [ "$singleikesa" = true ]; then global="${global}set enforcesingleikesa\n"; fi; if [ "$intermediate" = true ]; then global="${global}set cert_partial_chain\n"; fi; confstr=""; if [ -n "$config_address" ]; then if [ "$side" = left ]; then mode=passive; confstr="config address $config_address"; if [[ "$config_address" == */* ]]; then to="dynamic"; else to="$config_address"; fi; else mode=active; confstr="request address any"; if [[ "$config_address" == */* ]]; then from="dynamic"; else from="$config_address"; fi; fi; fi; echo "MODE=\"$mode\"" >> run-udpencap-port_$side.conf; echo "TMODE=\"$tmode\"" >> run-udpencap-port_$side.conf; echo "FROM=\"$from\"" >> run-udpencap-port_$side.conf; echo "TO=\"$to\"" >> run-udpencap-port_$side.conf; echo "LOCAL_ADDR=\"$local\"" >> run-udpencap-port_$side.conf; echo "PEER_ADDR=\"$peer\"" >> run-udpencap-port_$side.conf; echo "IPCOMP=\"$ipcomp\"" >> run-udpencap-port_$side.conf; echo "SRCID=\"\\\"$srcid\\\"\"" >> run-udpencap-port_$side.conf; echo "DSTID=\"$dstid\"" >> run-udpencap-port_$side.conf; echo "AUTH=\"$authstr\"" >> run-udpencap-port_$side.conf; echo "CONFIG=\"$confstr\"" >> run-udpencap-port_$side.conf; echo "IKESA=\"$ikesa\"" >> run-udpencap-port_$side.conf; echo "$global" >> run-udpencap-port_$side.conf; cat /usr/src/regress/sbin/iked/live/iked.in >> run-udpencap-port_$side.conf; chmod 0600 run-udpencap-port_left.conf; echo "cd /tmp\nput run-udpencap-port_left.conf test.conf" | sftp -q ot3; chmod 0600 run-udpencap-port_right.conf; echo "cd /tmp\nput run-udpencap-port_right.conf test.conf" | sftp -q ot4; rm -f run-udpencap-port_left.conf run-udpencap-port_right.conf; sysctl="net.inet.esp.udpencap_port=9999"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl"; sftp> cd /tmp sftp> put run-udpencap-port_left.conf test.conf sftp> cd /tmp sftp> put run-udpencap-port_right.conf test.conf net.inet.esp.udpencap_port: 4500 -> 9999 net.inet.esp.udpencap_port: 4500 -> 9999 iked_flags=-p9999; ssh ot3 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; ssh ot4 "ipsecctl -F; pkill iked; iked $iked_flags -f /tmp/test.conf"; flowtype=esp; [ -z $tmode ] && tmode=tunnel; _ret=1; count=0; dynamic=10.188.43.24; if [ -n "$config_address" ]; then dynamic="172.16.13.[0-9]+"; fi; [ -z "$maxwait" ] && maxwait=3; while [[ $count -le $maxwait ]]; do ipsecctlleft=`ssh ot3 ipsecctl -sa`; ipsecctlright=`ssh ot4 ipsecctl -sa`; flowleft=`echo "$ipsecctlleft" | sed -E -n "/^flow $flowtype in from $dynamic to 10.188.43.23 peer 10.188.43.24 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; flowright=`echo "$ipsecctlright" | sed -E -n "/^flow $flowtype in from 10.188.43.23 to $dynamic peer 10.188.43.23 srcid (FQDN|UFQDN|ASN1_DN)\/[^ ]* dstid (FQDN|UFQDN|ASN1_DN)\/[^ ]*/p"`; saleft_rtol=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saleft_ltor=`echo "$ipsecctlleft" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; saright_rtol=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.24 to 10.188.43.23/p"`; saright_ltor=`echo "$ipsecctlright" | sed -n "/^$flowtype $tmode from 10.188.43.23 to 10.188.43.24/p"`; if [[ -n "$saleft_ltor" && -n "$saleft_rtol" && -n "$saright_ltor" && -n "$saright_rtol" && -n "$flowleft" && -n "$flowright" ]]; then _ret=0; break; fi; let count=$count+1; done; if [[ "${_ret}" -ne 0 ]]; then echo "SAs not found:\n$ipsecctlleft\n$ipsecctlright"; fi; if [[ $_ret -ne 0 ]]; then exit 1; fi _ret=1; if [[ "" == "6" ]]; then ping="ping6"; else ping="ping"; fi; dump=`ssh ot3 "tcpdump -n -c2 -i enc0 -w /tmp/test.pcap > /dev/null & $ping -w 1 -n -c 5 10.188.43.24 > /dev/null && tcpdump -n -r /tmp/test.pcap && rm -f /tmp/test.pcap; kill -9 \\$! > /dev/null 2>&1 || true"`; rtol=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.23 > 10.188.43.24/p"`; ltor=`echo "$dump" | sed -n "/(authentic,confidential): SPI 0x[0-9a-f]\{8\}: 10.188.43.24 > 10.188.43.23/p"`; if [[ -z "$rtol" || -z "$ltor" ]]; then _ret=1; else _ret=0; fi; echo "$dump"; if [[ $_ret -ne 0 ]]; then exit 1; fi tcpdump: listening on enc0, link-type ENC 17:33:31.716822 (authentic,confidential): SPI 0x11377fc6: 10.188.43.23 > 10.188.43.24: icmp: echo request (encap) 17:33:31.719442 (authentic,confidential): SPI 0x2e4ea804: 10.188.43.24 > 10.188.43.23: icmp: echo reply (encap) sysctl="net.inet.esp.udpencap_port=4500"; ssh ot3 "sysctl $sysctl"; ssh ot4 "sysctl $sysctl"; net.inet.esp.udpencap_port: 9999 -> 4500 net.inet.esp.udpencap_port: 9999 -> 4500 ==== cleanup ==== ssh ot3 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; sysctl "net.inet.esp.udpencap_port=4500"; rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;' net.inet.esp.udpencap_port: 4500 -> 4500 pf disabled ssh ot4 'rm -f /tmp/test.conf; ipsecctl -F; pkill iked; rm -f /etc/iked/ca/*; rm -f /etc/iked/certs/*; rm -f /etc/iked/private/*; sysctl "net.inet.esp.udpencap_port=4500"; rm -f /tmp/pf.conf; pfctl -d; pfctl -f /etc/pf.conf;' net.inet.esp.udpencap_port: 4500 -> 4500 pf disabled PASS sbin/iked/live Duration 3m44.65s