[Swan-dev] errors reported by test suite

Paul Wouters paul at nohats.ca
Tue Jul 11 12:02:28 UTC 2017


On Sun, 9 Jul 2017, D. Hugh Redelmeier wrote:

> I get a lot of errors when I run the tests.  Can folks work on fixing
> them?  In some cases, the fix is to update the referencee logs.

Lots of people have been in transit, including me :/

> lost a data packet -- probably nothing to be done

Yeah :/

> ?? different traffic, extra "src"
> certoe-07-nat-2-clients/OUTPUT/road.console.diff
> certoe-07-nat-2-clients/OUTPUT/east.console.diff

You didn't provide a link or diff, so hard for me to tell what extra
"src" means.

> New warning? clear-or-private#192.1.2.0/24 #1 not fetching ipseckey that end rsasigkey != %dnsondemand  can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_NULL IKEv2_AUTH_NULL remote=192.1.2.254 thatid=ID_NULL

Those are indeed new. I had not yet added them because I wasn't sure if
these would remain. It seems it always triggers a "packet received and
ignored during crypto/dns work".

>
> New retransmit interval not reflected in logs?
> delete-sa-04/OUTPUT/east.console.diff
> ... and states numbered differently?
> delete-sa-04/OUTPUT/west.console.diff

I don't know why the state numbers are different. Which is why it was
not yet updated by me.

>
> tunnel missing?
> dnsoe-01/OUTPUT/road.console.diff
> dnsoe-01/OUTPUT/east.console.diff
>
> dnsoe-02/OUTPUT/road.console.diff
> dnsoe-02/OUTPUT/east.console.diff

Most likely you did not run "make kvm-keys" before the test, and the 
DNSSEC signed zones expired? Or some other bind related package is
not yet installed on your nic instance?


> missing interfaces:
> dynamic-iface-01/OUTPUT/west.console.diff

That also needs investigating still.

> cert-related error?
> +003 "westnet-eastnet-ikev2" #2: ID_DER_ASN1_DN 'E=user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA' does not match expected 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east at testing.libreswan.org'

That's odd because those two are the same? That would indicate a bug?

> missing connection
> ikev1-aggr-sendcert-01/OUTPUT/north.console.diff
> ikev1-aggr-sendcert-01/OUTPUT/east.console.diff

Will investigate those. There were some changes in the aggrmode code.

> negotiation went off rails
> ikev1-rekey-connswitch/OUTPUT/east.console.diff
> ikev1-rekey-connswitch/OUTPUT/west.console.diff

Actively working on that now. I pushed part of the fix yesterday. There
is still the issue of the CA matching (the match2 variable) going wrong.

> different informational payload generated??
> -003 "san" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
> +003 "san" #1: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12
> ikev1-x509-05-san-firstemail-match/OUTPUT/west.console.diff

I'll fix those up when the connswitch stuff works, as I will need to
rerun all the SAN test cases for that.

> different informational payload generated??
> -002 "san" #1: Peer public key is not available for this exchange
> -218 "san" #1: STATE_MAIN_I3: INVALID_ID_INFORMATION
> -002 "san" #1: sending encrypted notification INVALID_ID_INFORMATION to 192.1.2.23:500
> +003 "san" #1: no RSA public key known for 'NOTeast at testing.libreswan.org'
> +217 "san" #1: STATE_MAIN_I3: INVALID_KEY_INFORMATION
> +002 "san" #1: sending encrypted notification INVALID_KEY_INFORMATION to 192.1.2.23:500
> ikev1-x509-06-san-email-mismatch/OUTPUT/west.console.diff
> ikev1-x509-08-san-dns-mismatch/OUTPUT/west.console.diff
>
> different informational payload generated??
> -003 "san" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12
> +003 "san" #1: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12
> ikev1-x509-07-san-ip-mismatch/OUTPUT/west.console.diff
> ikev1-x509-aggr-05-san-firstemail-match/OUTPUT/west.console.diff

same.

> negotiation went off rails
> +003 "san" #1: ignoring informational payload INVALID_KEY_INFORMATION, msgid=00000000, length=12
> ikev1-x509-12-san-dn-match/OUTPUT/east.console.diff
> ikev1-x509-12-san-dn-match/OUTPUT/west.console.diff
> ikev1-x509-13-san-dn-mismatch/OUTPUT/east.console.diff
> ikev1-x509-13-san-dn-mismatch/OUTPUT/west.console.diff

Same.

Paul


More information about the Swan-dev mailing list