<div dir="ltr"><div>I'm planning on removing the sanitizer ipsec-auto-up.n.sed.  It removes what I consider to be important contextual  information from console.txt.  For instance, consider this output:<br></div><div><br></div>--- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt<br>+++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt<br>@@ -41,8 +41,10 @@<br> 1v1 "nss-cert-crl" #1: sent Main Mode I3<br> 003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12<br> 003 "nss-cert-crl" #1: received and ignored notification payload: INVALID_ID_INFORMATION<br> 003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12<br> 003 "nss-cert-crl" #1: received and ignored notification payload: INVALID_ID_INFORMATION<br> 002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=<a href="http://east.testing.libreswan.org">east.testing.libreswan.org</a>, E=<a href="mailto:user-east@testing.libreswan.org">user-east@testing.libreswan.org</a>'<br> 002 "nss-cert-crl" #1: certificate verified OK: E=<a href="mailto:user-east@testing.libreswan.org">user-east@testing.libreswan.org</a>,CN=<a href="http://east.testing.libreswan.org">east.testing.libreswan.org</a>,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA<br><div> 003 "nss-cert-crl" #1: authenticated using RSA with SHA-1</div><div><br></div><div>the duplicate "ignoring informational payload" seems to be from the other end spontaneously sending duplicates (this is IKEv1 after all), and things take time to establish because the other end was slow.  However, once retransmits are visible:</div><div><br></div><div>--- MASTER/testing/pluto/nss-cert-crl-03-strict/west.console.txt<br>+++ OUTPUT/testing/pluto/nss-cert-crl-03-strict/west.console.txt<br>@@ -41,8 +41,10 @@<br> 1v1 "nss-cert-crl" #1: sent Main Mode I3<br> 003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12<br> 003 "nss-cert-crl" #1: received and ignored notification payload: INVALID_ID_INFORMATION<br>+010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 0.5 seconds for response<br> 003 "nss-cert-crl" #1: ignoring informational payload INVALID_ID_INFORMATION, msgid=00000000, length=12<br> 003 "nss-cert-crl" #1: received and ignored notification payload: INVALID_ID_INFORMATION<br>+010 "nss-cert-crl" #1: STATE_MAIN_I3: retransmission; will wait 1 seconds for response<br> 002 "nss-cert-crl" #1: Peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=<a href="http://east.testing.libreswan.org">east.testing.libreswan.org</a>, E=<a href="mailto:user-east@testing.libreswan.org">user-east@testing.libreswan.org</a>'<br> 002 "nss-cert-crl" #1: certificate verified OK: E=<a href="mailto:user-east@testing.libreswan.org">user-east@testing.libreswan.org</a>,CN=<a href="http://east.testing.libreswan.org">east.testing.libreswan.org</a>,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA<br> 003 "nss-cert-crl" #1: authenticated using RSA with SHA-1</div><div><br></div><div>it looks more likely that the re-transmit triggered forward progress.  Similarly, but in contrast:<br></div><div><br></div><div>--- MASTER/testing/pluto/ikev2-keyingtries-01/west.console.txt<br>+++ OUTPUT/testing/pluto/ikev2-keyingtries-01/west.console.txt<br>@@ -28,7 +28,9 @@<br> 002 "westnet-eastnet-k1" #1: IMPAIR: omitting KE payload<br> 1v2 "westnet-eastnet-k1" #1: sent IKE_SA_INIT request<br> 003 "westnet-eastnet-k1" #1: dropping unexpected IKE_SA_INIT message containing INVALID_SYNTAX notification; message payloads: N; missing payloads: SA,KE,Ni<br>+010 "westnet-eastnet-k1" #1: STATE_PARENT_I1: retransmission; will wait 1 seconds for response<br> 003 "westnet-eastnet-k1" #1: dropping unexpected IKE_SA_INIT message containing INVALID_SYNTAX notification; message payloads: N; missing payloads: SA,KE,Ni<br>+010 "westnet-eastnet-k1" #1: STATE_PARENT_I1: retransmission; will wait 2 seconds for response<br> 003 "westnet-eastnet-k1" #1: dropping unexpected IKE_SA_INIT message containing INVALID_SYNTAX notification; message payloads: N; missing payloads: SA,KE,Ni<br> 031 "westnet-eastnet-k1" #1: STATE_PARENT_I1: 3 second timeout exceeded after 2 retransmits.  No response (or no acceptable response) to our first IKEv2 message<br> 002 "westnet-eastnet-k1" #1: deleting state (STATE_PARENT_I1) and NOT sending notification</div><div><br></div><div>the re-transmits suggest they are just adding noise to the test (and it could delete-on-retransmit).<br></div></div>