[Swan-dev] testing yesterday's tree
Paul Wouters
paul at nohats.ca
Tue May 15 04:24:15 UTC 2018
On Mon, 14 May 2018, D. Hugh Redelmeier wrote:
> I don't have time to analyze all the failures, but here's a start.
I can help, but it would be easiest if you expose the test results using
the web / html interface on a public http server. This can be pushed
from your test machine to another machines that runs a web server.
> The problem with certificates looks important.
Yes. Some test cases succeed where they should fail. The issue is known
and on my plate to fix.
> packets lost
> testing/pluto/ikev2-delete-05-sa-start failed west:output-different
> testing/pluto/ikev1-algo-esp-sha2-01-netkey-klips failed west:output-different
> testing/pluto/ikev1-algo-esp-sha2-02-netkey-klips failed west:output-different
> testing/pluto/interop-ikev2-strongswan-39-mobike-responder failed east:output-different road:output-different
That's hard to always get right, unfortunately it differs per test
machine.
> SA established late?
> testing/pluto/ikev2-delete-06-start-both failed west:output-different
I only got a packet loss here :)
> ####
> +192.0.2.100 dev eth1 scope link
> testing/pluto/ikev2-32-nat-rw-rekey failed east:output-different
> testing/pluto/ikev2-41-rw-replace failed east:output-different
> testing/pluto/ikev2-42-rw-replace-responder failed east:output-different
Same. new route entry added.
> +0.0.0.0/1 via 192.1.3.254 dev eth0 src 192.0.2.100
> default via 192.1.3.254 dev eth0
> +128.0.0.0/1 via 192.1.3.254 dev eth0 src 192.0.2.100
> testing/pluto/ikev2-30-rw-no-rekey failed road:output-different
That is correct. fixed.
> -| "westnet-eastnet" #1: discarding duplicate packet; already STATE_MAIN_I2
> testing/pluto/ikev1-impair-01-replay-duplicates failed west:output-different
assuming something slow?
> -002 "road-eastnet-ikev2" #2: certificate verified OK: E=user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
> +"road-eastnet-ikev2"[2] 192.1.3.34 #3: cannot route -- route already in use for "road-eastnet-ikev2"[1] 192.1.3.33
> [and more]
> testing/pluto/ikev2-27-uniqueid failed east:output-different north:output-different
Fixed yesterday :)
> testing/pluto/ikev2-10-2behind-nat failed east:output-different road:output-different
Have to look into this - also looks very different for me....
> +010 "westnet-eastnet-ipv4-psk-ikev2-ccm-a" #2: STATE_PARENT_I2: retransmission; will wait 0.5 seconds for response
> testing/pluto/ikev2-algo-03-aes-ccm failed west:output-different
slowness.
> ####
> -192.0.2.0/24 via 192.1.2.23 dev eth1
> testing/pluto/ikev2-algo-ike-dh-ecp-01 failed west:output-different
> testing/pluto/ikev2-unknown-payload-01-sa-init failed west:output-different
> testing/pluto/ikev2-unknown-payload-02-auth failed west:output-different
Didn't look at these yet.
> -2 packets transmitted, 2 received, 0% packet loss, time XXXX
> -rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
> +2 packets transmitted, 0 received, 100% packet loss, time XXXX
> testing/pluto/interop-ikev2-strongswan-38-mobike-pool failed east:output-different road:output-different
>
> ####
> - proto esp spi 0xSPISPIXX reqid REQID mode tunnel
> + proto esp spi 0xSPISPI reqid REQID mode tunnel
> testing/pluto/interop-ikev2-strongswan-38-mobike-pool failed east:output-different road:output-different
> testing/pluto/interop-ikev2-strongswan-38-mobike-initiator failed north:output-different
> testing/pluto/interop-ikev2-strongswan-39-mobike-responder failed east:output-different road:output-different
That doeslook like a sanitizer thing.
> ####
> -3: ip_vti0 at NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default qlen 1000
> +3: ip_vti0 at NONE: <NOARP> mtu 1332 qdisc noop state DOWN group default
> testing/pluto/interop-ikev2-strongswan-39-mobike-responder failed east:output-different road:output-different
That's my bad. I ran with 4.x kernels and updated iproute tools that
show the qlen 1000 there. I've sanitized it just now.
> testing/pluto/ikev2-unknown-payload-03-auth-sk failed west:output-different
> testing/pluto/ikev2-impair-04-corrupt-auth-sk-payload failed west:output-different
> testing/pluto/ikev1-x509-05-san-firstemail-match failed west:output-different
> testing/pluto/ikev1-x509-07-san-ip-mismatch failed west:output-different
> testing/pluto/ikev1-x509-08-san-dns-mismatch failed west:output-different
> testing/pluto/ikev2-x509-20-multicert-rightid-san-wildcard failed west:output-different
Ignore all -san- tests until I pushed a fix for the authby checks.
> testing/pluto/nss-cert-crl-03 failed west:output-different
crl failures usually mean you need to regenerate your certs. Same for
failing dnsoe tests which usually means the signed zone expired. Before
a test, run on the host:
./testing/x509/dist_certs.py
./testing/baseconfigs/all/etc/bind/generate-dnssec.sh
People are not in agreement on always running these before a test run :/
> testing/pluto/nss-cert-09-notyetvalid-initiator failed east:output-different west:output-different
> testing/pluto/nss-cert-10-notyetvalid-responder-ikev2 failed east:output-different west:output-different
seems a (new?) problem with the faketime library. Maybe this only breaks
on old f22.
Paul
More information about the Swan-dev
mailing list