[strongSwan] ubuntu 14.04 testing environment

Michael C. Cambria mcc at fid4.com
Fri May 22 16:02:36 CEST 2015 


On 05/22/2015 09:31 AM, Tobias Brunner wrote:
> Hi Michael,
>
>> What fails isn't obvious.  Looking at one test I was interested in,
>> net2net-cert-sha2, it looked like the test actually did pass (or I just
>> can't find the failure.)
> You may compare your results to the ones at [1].

I did, other than the plugin failed to load message, results look 
similar to what I see at [1]

>
>> May 21 16:02:03 moon charon: 00[LIB] unable to load 9 plugin features (9
>> due to unmet dependencies)
> In 5.3.0 this message is only logged if the log level is increased.  As
> some features will always have unmet dependencies the message was more
> confusing than helpful, so it is not shown anymore by default.  So if
> you do see it, without having changed the test config, it would indicate
> that you are not actually using 5.3.0, which is required for the
> net2net-cert-sha2 test scenario.


39 tests failed, not just this one.  I simply used wget to dl the 
tarball, applied the patch and ran the commands.

I just ran net2net-cert-sha2,

cloud0:~/strongswan-5.3.0/testing$ sudo ./do-tests ikev2/net2net-cert-sha2
[sudo] password for thing:
Guest kernel : 3.15.1
strongSwan   : 5.2.0
Date         : 20150522-0958-48

[FAIL]  1 ikev2/net2net-cert-sha2: pre..test..post

Passed : 0
Failed : 1


The results are available in 
/srv/strongswan-testing/testresults/20150522-0958-48
or via the link http://192.168.0.150/testresults/20150522-0958-48

Finished : 20150522-0958


But console log looks like things worked:

cloud0:/srv/strongswan-testing/testresults/20150522-0958-48/ikev2/net2net-cert-sha2$ 
cat console.log
TCPDUMP
sun# tcpdump -i eth0 not port ssh and not port domain > /tmp/tcpdump.log 
2>&1 &
PRE-TEST
moon# iptables-restore < /etc/iptables.rules
sun# iptables-restore < /etc/iptables.rules
moon# ipsec start
Starting strongSwan 5.2.0 IPsec [starter]...
No leaks detected, 1 suppressed by whitelist
sun# ipsec start
Starting strongSwan 5.2.0 IPsec [starter]...
No leaks detected, 1 suppressed by whitelist
moon# sleep 1
moon# ipsec up net-net
initiating IKE_SA net-net[1] to 192.168.0.2
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.1[500] to 192.168.0.2[500] (676 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.1[500] (465 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) 
CERTREQ N(MULT_AUTH) ]
received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
authentication of 'moon.strongswan.org' (myself) with RSA signature 
successful
sending end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
establishing CHILD_SA net-net
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr 
AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.0.1[500] to 192.168.0.2[500] (1724 bytes)
received packet: from 192.168.0.2[500] to 192.168.0.1[500] (1532 bytes)
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
received end entity cert "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
   using certificate "C=CH, O=Linux strongSwan, CN=sun.strongswan.org"
   using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan 
Root CA"
checking certificate status of "C=CH, O=Linux strongSwan, 
CN=sun.strongswan.org"
   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
   using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan 
Root CA"
   crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
   crl is valid: until Jun 20 14:25:51 2015
certificate status is good
   reached self-signed root ca with a path length of 0
authentication of 'sun.strongswan.org' with RSA signature successful
IKE_SA net-net[1] established between 
192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
scheduling reauthentication in 3381s
maximum IKE_SA lifetime 3561s
connection 'net-net' established successfully
No leaks detected, 1 suppressed by whitelist
TEST
moon# cat /var/log/daemon.log | grep 'authentication 
of.*sun.strongswan.org.*with RSA_EMSA_PKCS1_SHA512 successful' [YES]
moon# ipsec status 2> /dev/null | grep 
'net-net.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org' [YES]
      net-net[1]: ESTABLISHED 0 seconds ago, 
192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
sun# cat /var/log/daemon.log | grep 'authentication 
of.*moon.strongswan.org.*with RSA_EMSA_PKCS1_SHA384 successful' [YES]
sun# ipsec status 2> /dev/null | grep 
'net-net.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org' [YES]
      net-net[1]: ESTABLISHED 0 seconds ago, 
192.168.0.2[sun.strongswan.org]...192.168.0.1[moon.strongswan.org]
moon# ipsec status 2> /dev/null | grep 'net-net.*INSTALLED, TUNNEL' [YES]
      net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: cb68e27d_i c77a128f_o
sun# ipsec status 2> /dev/null | grep 'net-net.*INSTALLED, TUNNEL' [YES]
      net-net{1}:  INSTALLED, TUNNEL, ESP SPIs: c77a128f_i cb68e27d_o
alice# ping -c 1 10.2.0.10 | grep '64 bytes from 10.2.0.10: icmp_req=1' 
[YES]
64 bytes from 10.2.0.10: icmp_req=1 ttl=62 time=2.87 ms
sun# killall tcpdump
sun# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > 
sun.strongswan.org: ESP' [YES]
13:58:49.055214 IP moon.strongswan.org > sun.strongswan.org: 
ESP(spi=0xc77a128f,seq=0x1), length 132
sun# cat /tmp/tcpdump.log | grep 'IP sun.strongswan.org > 
moon.strongswan.org: ESP' [YES]
13:58:49.056249 IP sun.strongswan.org > moon.strongswan.org: 
ESP(spi=0xcb68e27d,seq=0x1), length 132
POST-TEST
moon# ipsec stop
Stopping strongSwan IPsec...
sun# ipsec stop
Stopping strongSwan IPsec...
moon# iptables-restore < /etc/iptables.flush
sun# iptables-restore < /etc/iptables.flush
cloud0:/srv/strongswan-testing/testresults/20150522-0958-48/ikev2/net2net-cert-sha2$ 



I also checked other files, at first look things look right, e.g. 
sun.tcpdump.log shows packets exchanged

More information about the Users mailing list