[Swan-dev] testing yesterday's tree

Paul Wouters paul at nohats.ca
Tue May 15 04:24:15 UTC 2018 

On Mon, 14 May 2018, D. Hugh Redelmeier wrote:

> I don't have time to analyze all the failures, but here's a start.

I can help, but it would be easiest if you expose the test results using
the web / html interface on a public http server. This can be pushed
from your test machine to another machines that runs a web server.

> The problem with certificates looks important.

Yes. Some test cases succeed where they should fail. The issue is known
and on my plate to fix.

> packets lost
> testing/pluto/ikev2-delete-05-sa-start failed west:output-different
> testing/pluto/ikev1-algo-esp-sha2-01-netkey-klips failed west:output-different
> testing/pluto/ikev1-algo-esp-sha2-02-netkey-klips failed west:output-different
> testing/pluto/interop-ikev2-strongswan-39-mobike-responder failed east:output-different road:output-different

That's hard to always get right, unfortunately it differs per test
machine.

> SA established late?
> testing/pluto/ikev2-delete-06-start-both failed west:output-different

I only got a packet loss here :)


> ####
> +192.0.2.100 dev eth1  scope link
> testing/pluto/ikev2-32-nat-rw-rekey failed east:output-different
> testing/pluto/ikev2-41-rw-replace failed east:output-different
> testing/pluto/ikev2-42-rw-replace-responder failed east:output-different

Same. new route entry added.

> +0.0.0.0/1 via 192.1.3.254 dev eth0  src 192.0.2.100
> default via 192.1.3.254 dev eth0
> +128.0.0.0/1 via 192.1.3.254 dev eth0  src 192.0.2.100
> testing/pluto/ikev2-30-rw-no-rekey failed road:output-different

That is correct. fixed.

> -| "westnet-eastnet" #1: discarding duplicate packet; already STATE_MAIN_I2
> testing/pluto/ikev1-impair-01-replay-duplicates failed west:output-different

assuming something slow?

> -002 "road-eastnet-ikev2" #2: certificate verified OK: E=user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
> +"road-eastnet-ikev2"[2] 192.1.3.34 #3: cannot route -- route already in use for "road-eastnet-ikev2"[1] 192.1.3.33
> [and more]
> testing/pluto/ikev2-27-uniqueid failed east:output-different north:output-different

Fixed yesterday :)

> testing/pluto/ikev2-10-2behind-nat failed east:output-different road:output-different

Have to look into this - also looks very different for me....

> +010 "westnet-eastnet-ipv4-psk-ikev2-ccm-a" #2: STATE_PARENT_I2: retransmission; will wait 0.5 seconds for response
> testing/pluto/ikev2-algo-03-aes-ccm failed west:output-different

slowness.

> ####
> -192.0.2.0/24 via 192.1.2.23 dev eth1
> testing/pluto/ikev2-algo-ike-dh-ecp-01 failed west:output-different
> testing/pluto/ikev2-unknown-payload-01-sa-init failed west:output-different
> testing/pluto/ikev2-unknown-payload-02-auth failed west:output-different

Didn't look at these yet.

> -2 packets transmitted, 2 received, 0% packet loss, time XXXX
> -rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
> +2 packets transmitted, 0 received, 100% packet loss, time XXXX
> testing/pluto/interop-ikev2-strongswan-38-mobike-pool failed east:output-different road:output-different
>
> ####
> -	proto esp spi 0xSPISPIXX reqid REQID mode tunnel
> +	proto esp spi 0xSPISPI reqid REQID mode tunnel
> testing/pluto/interop-ikev2-strongswan-38-mobike-pool failed east:output-different road:output-different
> testing/pluto/interop-ikev2-strongswan-38-mobike-initiator failed north:output-different
> testing/pluto/interop-ikev2-strongswan-39-mobike-responder failed east:output-different road:output-different

That doeslook like a sanitizer thing.

> ####
> -3: ip_vti0 at NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1000
> +3: ip_vti0 at NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default
> testing/pluto/interop-ikev2-strongswan-39-mobike-responder failed east:output-different road:output-different

That's my bad. I ran with 4.x kernels and updated iproute tools that
show the qlen 1000 there. I've sanitized it just now.

> testing/pluto/ikev2-unknown-payload-03-auth-sk failed west:output-different
> testing/pluto/ikev2-impair-04-corrupt-auth-sk-payload failed west:output-different
> testing/pluto/ikev1-x509-05-san-firstemail-match failed west:output-different
> testing/pluto/ikev1-x509-07-san-ip-mismatch failed west:output-different
> testing/pluto/ikev1-x509-08-san-dns-mismatch failed west:output-different
> testing/pluto/ikev2-x509-20-multicert-rightid-san-wildcard failed west:output-different

Ignore all -san- tests until I pushed a fix for the authby checks.

> testing/pluto/nss-cert-crl-03 failed west:output-different

crl failures usually mean you need to regenerate your certs. Same for
failing dnsoe tests which usually means the signed zone expired. Before
a test, run on the host:

./testing/x509/dist_certs.py
./testing/baseconfigs/all/etc/bind/generate-dnssec.sh

People are not in agreement on always running these before a test run :/

> testing/pluto/nss-cert-09-notyetvalid-initiator failed east:output-different west:output-different
> testing/pluto/nss-cert-10-notyetvalid-responder-ikev2 failed east:output-different west:output-different

seems a (new?) problem with the faketime library. Maybe this only breaks
on old f22.

Paul

More information about the Swan-dev mailing list