[Swan-dev] drop ipsec-auto-up.n.sed

Andrew Cagney andrew.cagney at gmail.com
Mon Sep 28 16:44:03 UTC 2020 

I'm planning on removing the sanitizer ipsec-auto-up.n.sed.  It removes
what I consider to be important contextual  information from console.txt.
For instance, consider this output:

--- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt
+++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt
@@ -41,8 +41,10 @@
 1v1 "nss-cert-crl" #1: sent Main Mode I3
 003 "nss-cert-crl" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
 003 "nss-cert-crl" #1: received and ignored notification payload:
INVALID_ID_INFORMATION
 003 "nss-cert-crl" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
 003 "nss-cert-crl" #1: received and ignored notification payload:
INVALID_ID_INFORMATION
 002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario,
L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org,
E=user-east at testing.libreswan.org'
 002 "nss-cert-crl" #1: certificate verified OK: E=
user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test
Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
 003 "nss-cert-crl" #1: authenticated using RSA with SHA-1

the duplicate "ignoring informational payload" seems to be from the other
end spontaneously sending duplicates (this is IKEv1 after all), and things
take time to establish because the other end was slow.  However, once
retransmits are visible:

--- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt
+++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt
@@ -41,8 +41,10 @@
 1v1 "nss-cert-crl" #1: sent Main Mode I3
 003 "nss-cert-crl" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
 003 "nss-cert-crl" #1: received and ignored notification payload:
INVALID_ID_INFORMATION
+010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 0.5
seconds for response
 003 "nss-cert-crl" #1: ignoring informational payload
INVALID_ID_INFORMATION, msgid=00000000, length=12
 003 "nss-cert-crl" #1: received and ignored notification payload:
INVALID_ID_INFORMATION
+010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 1 seconds
for response
 002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario,
L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org,
E=user-east at testing.libreswan.org'
 002 "nss-cert-crl" #1: certificate verified OK: E=
user-east at testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test
Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
 003 "nss-cert-crl" #1: authenticated using RSA with SHA-1

it looks more likely that the re-transmit triggered forward progress.
Similarly, but in contrast:

--- MASTER/testing/pluto/ikev2-keyingtries-01/west.console.txt
+++ OUTPUT/testing/pluto/ikev2-keyingtries-01/west.console.txt
@@ -28,7 +28,9 @@
 002 "westnet-eastnet-k1" #1: IMPAIR: omitting KE payload
 1v2 "westnet-eastnet-k1" #1: sent IKE_SA_INIT request
 003 "westnet-eastnet-k1" #1: dropping unexpected IKE_SA_INIT message
containing INVALID_SYNTAX notification; message payloads: N; missing
payloads: SA,KE,Ni
+010 "westnet-eastnet-k1" #1: STATE_PARENT_I1: retransmission; will wait 1
seconds for response
 003 "westnet-eastnet-k1" #1: dropping unexpected IKE_SA_INIT message
containing INVALID_SYNTAX notification; message payloads: N; missing
payloads: SA,KE,Ni
+010 "westnet-eastnet-k1" #1: STATE_PARENT_I1: retransmission; will wait 2
seconds for response
 003 "westnet-eastnet-k1" #1: dropping unexpected IKE_SA_INIT message
containing INVALID_SYNTAX notification; message payloads: N; missing
payloads: SA,KE,Ni
 031 "westnet-eastnet-k1" #1: STATE_PARENT_I1: 3 second timeout exceeded
after 2 retransmits.  No response (or no acceptable response) to our first
IKEv2 message
 002 "westnet-eastnet-k1" #1: deleting state (STATE_PARENT_I1) and NOT
sending notification

the re-transmits suggest they are just adding noise to the test (and it
could delete-on-retransmit).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan-dev/attachments/20200928/ee8e91bb/attachment.html>

More information about the Swan-dev mailing list