[Swan-dev] strongswan interop tests

Thu Oct 30 05:12:10 EET 2014

I see the following intermittent changes in strongswan tests:

--- ./east.console.txt  2014-10-19 19:01:15.974509619 -0400
+++ OUTPUT/east.console.txt     2014-10-29 19:34:16.319472120 -0400
@@ -29,7 +29,7 @@
  east #
   if [ -f /var/run/charon.pid ]; then strongswan status ; fi
  Security Associations (1 up, 0 connecting):
-westnet-eastnet-ikev1[1]: ESTABLISHED XXX seconds ago, 192.1.2.23[east]...192.1.2.45[west]
+westnet-eastnet-ikev1[2]: ESTABLISHED XXX seconds ago, 192.1.2.23[east]...192.1.2.45[west]
  westnet-eastnet-ikev1{1}:  INSTALLED, TUNNEL, ESP SPIs: SPISPI_i SPISPI_o
  westnet-eastnet-ikev1{1}:   192.0.2.0/24 === 192.0.1.0/24
  east #

Sometimes the number is [1], sometimes [2] and I've also seen [3].
Rerunning it a few times will get it back to [1]. I am not sure what the
number means, so I did not yet want to write a sanitizer for it.

Another difference I see is that some tests removed sending a CERTREQ,
but others added one. This shows up as:

-- ./west.console.txt  2014-10-03 00:00:05.045878037 -0400
+++ OUTPUT/west.console.txt     2014-10-29 19:45:26.958131741 -0400
@@ -53,9 +53,10 @@
  sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
  received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
  parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
+sending cert request for "C=ca, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test EC CA, E=testing at libreswan.org"
  authentication of 'west' (myself) with pre-shared key
  establishing CHILD_SA westnet-eastnet-ikev2
-generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
+generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) ]
  sending packet: from 192.1.2.45[4500] to 192.1.2.23[4500] (XXX bytes)
  received packet: from 192.1.2.23[4500] to 192.1.2.45[4500] (XXX bytes)
  parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]

I understand the new additions of CERTREQ, not sure why a few test cases
remove those.....

Then we see:

--- ./road.console.txt  2014-07-07 13:14:14.034567484 -0400
+++ OUTPUT/road.console.txt     2014-10-29 19:58:06.324979396 -0400
@@ -4,15 +4,15 @@
  Starting strongSwan X.X.X IPsec [starter]...
  Loading config setup
  Loading conn 'road-eastnet-ikev2'
+  authby=secret
+  auto=add
+  keyexchange=ikev2
    left=%defaultroute
    leftid=@road
+  leftsubnet=192.1.3.209/32
    right=192.1.2.23
    rightid=@east
    rightsubnet=192.0.2.0/24
-  leftsubnet=192.1.3.209/32
-  authby=secret
-  keyexchange=ikev2
-  auto=add
  found netkey IPsec stack
  road #
   echo "initdone"

These seem related to the version of strongswan. I don't see these
flipping between runs.

I've made some minor init/run.sh fixes, and updated the reference
output. I commited this in a new branch "ssw521".

Note I tested these runs on three different machines (laptop, desktop
and swantest). All three systems exhibit the same behaviour.

Paul
