/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 # we can't test the packetflow as we are going to redirect
west #
 ../../guestbin/ip.sh route del 192.0.2.0/24
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add westnet-eastnet-ipv4-psk-ikev2
"westnet-eastnet-ipv4-psk-ikev2": added IKEv2 connection
west #
 echo "initdone"
initdone
west #
 ipsec whack --impair revival
west #
 ipsec auto --up westnet-eastnet-ipv4-psk-ikev2
"westnet-eastnet-ipv4-psk-ikev2" #1: initiating IKEv2 connection to 192.1.2.23 using UDP
"westnet-eastnet-ipv4-psk-ikev2" #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"westnet-eastnet-ipv4-psk-ikev2" #1: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}, initiating IKE_AUTH
"westnet-eastnet-ipv4-psk-ikev2" #1: sent IKE_AUTH request to 192.1.2.23:UDP/500 with shared-key-mac and FQDN '@west'; Child SA #2 {ESP <0xESPESP}
"westnet-eastnet-ipv4-psk-ikev2" #1: initiator established IKE SA; authenticated peer using authby=secret and FQDN '@east'
"westnet-eastnet-ipv4-psk-ikev2" #1: IKE_AUTH response redirects to new gateway 192.1.3.33
"westnet-eastnet-ipv4-psk-ikev2" #2: scheduling redirect 1 to 192.1.3.33
"westnet-eastnet-ipv4-psk-ikev2" #2: IMPAIR: redirect: skip scheduling redirect event
"westnet-eastnet-ipv4-psk-ikev2" #1: deleting IKE SA (established IKE SA)
west #
 ipsec whack --impair trigger_revival:1
"westnet-eastnet-ipv4-psk-ikev2": IMPAIR: dispatch REVIVAL; redirect attempt 1 from 192.1.2.23 to 192.1.3.33; delete Child SA
"westnet-eastnet-ipv4-psk-ikev2" #3: initiating IKEv2 connection to 192.1.3.33 using UDP
"westnet-eastnet-ipv4-psk-ikev2" #3: sent IKE_SA_INIT request to 192.1.3.33:UDP/500
"westnet-eastnet-ipv4-psk-ikev2" #3: processed IKE_SA_INIT response from 192.1.3.33:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}, initiating IKE_AUTH
"westnet-eastnet-ipv4-psk-ikev2" #3: sent IKE_AUTH request to 192.1.3.33:UDP/500 with shared-key-mac and FQDN '@west'; Child SA #4 {ESP <0xESPESP}
"westnet-eastnet-ipv4-psk-ikev2" #3: initiator established IKE SA; authenticated peer using authby=secret and FQDN '@east'
"westnet-eastnet-ipv4-psk-ikev2" #3: IKE_AUTH response redirects to new gateway 192.1.2.23
"westnet-eastnet-ipv4-psk-ikev2" #4: scheduling redirect 2 to 192.1.2.23
"westnet-eastnet-ipv4-psk-ikev2" #4: IMPAIR: redirect: skip scheduling redirect event
"westnet-eastnet-ipv4-psk-ikev2" #3: deleting IKE SA (established IKE SA)
west #
 ipsec whack --impair trigger_revival:1
"westnet-eastnet-ipv4-psk-ikev2": IMPAIR: dispatch REVIVAL; redirect attempt 2 from 192.1.3.33 to 192.1.2.23; delete Child SA
"westnet-eastnet-ipv4-psk-ikev2" #5: initiating IKEv2 connection to 192.1.2.23 using UDP
"westnet-eastnet-ipv4-psk-ikev2" #5: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"westnet-eastnet-ipv4-psk-ikev2" #5: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}, initiating IKE_AUTH
"westnet-eastnet-ipv4-psk-ikev2" #5: sent IKE_AUTH request to 192.1.2.23:UDP/500 with shared-key-mac and FQDN '@west'; Child SA #6 {ESP <0xESPESP}
"westnet-eastnet-ipv4-psk-ikev2" #5: initiator established IKE SA; authenticated peer using authby=secret and FQDN '@east'
"westnet-eastnet-ipv4-psk-ikev2" #5: IKE_AUTH response redirects to new gateway 192.1.3.33
"westnet-eastnet-ipv4-psk-ikev2" #6: scheduling redirect 3 to 192.1.3.33
"westnet-eastnet-ipv4-psk-ikev2" #6: IMPAIR: redirect: skip scheduling redirect event
"westnet-eastnet-ipv4-psk-ikev2" #5: deleting IKE SA (established IKE SA)
west #
 ipsec whack --impair trigger_revival:1
"westnet-eastnet-ipv4-psk-ikev2": IMPAIR: dispatch REVIVAL; redirect attempt 3 from 192.1.2.23 to 192.1.3.33; delete Child SA
"westnet-eastnet-ipv4-psk-ikev2" #7: initiating IKEv2 connection to 192.1.3.33 using UDP
"westnet-eastnet-ipv4-psk-ikev2" #7: sent IKE_SA_INIT request to 192.1.3.33:UDP/500
"westnet-eastnet-ipv4-psk-ikev2" #7: processed IKE_SA_INIT response from 192.1.3.33:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}, initiating IKE_AUTH
"westnet-eastnet-ipv4-psk-ikev2" #7: sent IKE_AUTH request to 192.1.3.33:UDP/500 with shared-key-mac and FQDN '@west'; Child SA #8 {ESP <0xESPESP}
"westnet-eastnet-ipv4-psk-ikev2" #7: initiator established IKE SA; authenticated peer using authby=secret and FQDN '@east'
"westnet-eastnet-ipv4-psk-ikev2" #7: IKE_AUTH response redirects to new gateway 192.1.2.23
"westnet-eastnet-ipv4-psk-ikev2" #8: scheduling redirect 4 to 192.1.2.23
"westnet-eastnet-ipv4-psk-ikev2" #8: IMPAIR: redirect: skip scheduling redirect event
"westnet-eastnet-ipv4-psk-ikev2" #7: deleting IKE SA (established IKE SA)
west #
 ipsec whack --impair trigger_revival:1
"westnet-eastnet-ipv4-psk-ikev2": IMPAIR: dispatch REVIVAL; redirect attempt 4 from 192.1.3.33 to 192.1.2.23; delete Child SA
"westnet-eastnet-ipv4-psk-ikev2" #9: initiating IKEv2 connection to 192.1.2.23 using UDP
"westnet-eastnet-ipv4-psk-ikev2" #9: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"westnet-eastnet-ipv4-psk-ikev2" #9: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}, initiating IKE_AUTH
"westnet-eastnet-ipv4-psk-ikev2" #9: sent IKE_AUTH request to 192.1.2.23:UDP/500 with shared-key-mac and FQDN '@west'; Child SA #10 {ESP <0xESPESP}
"westnet-eastnet-ipv4-psk-ikev2" #9: initiator established IKE SA; authenticated peer using authby=secret and FQDN '@east'
"westnet-eastnet-ipv4-psk-ikev2" #9: IKE_AUTH response redirects to new gateway 192.1.3.33
"westnet-eastnet-ipv4-psk-ikev2" #10: scheduling redirect 5 to 192.1.3.33
"westnet-eastnet-ipv4-psk-ikev2" #10: IMPAIR: redirect: skip scheduling redirect event
"westnet-eastnet-ipv4-psk-ikev2" #9: deleting IKE SA (established IKE SA)
west #
 ipsec whack --impair trigger_revival:1
"westnet-eastnet-ipv4-psk-ikev2": IMPAIR: dispatch REVIVAL; redirect attempt 5 from 192.1.2.23 to 192.1.3.33; delete Child SA
"westnet-eastnet-ipv4-psk-ikev2" #11: initiating IKEv2 connection to 192.1.3.33 using UDP
"westnet-eastnet-ipv4-psk-ikev2" #11: sent IKE_SA_INIT request to 192.1.3.33:UDP/500
"westnet-eastnet-ipv4-psk-ikev2" #11: processed IKE_SA_INIT response from 192.1.3.33:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}, initiating IKE_AUTH
"westnet-eastnet-ipv4-psk-ikev2" #11: sent IKE_AUTH request to 192.1.3.33:UDP/500 with shared-key-mac and FQDN '@west'; Child SA #12 {ESP <0xESPESP}
"westnet-eastnet-ipv4-psk-ikev2" #11: initiator established IKE SA; authenticated peer using authby=secret and FQDN '@east'
"westnet-eastnet-ipv4-psk-ikev2" #11: IKE_AUTH redirect exceeds limit; assuming redirect loop
"westnet-eastnet-ipv4-psk-ikev2" #12: connection is supposed to remain up; revival attempt 1 scheduled in 300 seconds
"westnet-eastnet-ipv4-psk-ikev2" #12: IMPAIR: revival: skip scheduling revival event
"westnet-eastnet-ipv4-psk-ikev2" #11: deleting IKE SA (established IKE SA)
west #
 ipsec whack --impair trigger_revival:1
"westnet-eastnet-ipv4-psk-ikev2": IMPAIR: dispatch REVIVAL; attempt 1 next in 300s; delete Child SA
"westnet-eastnet-ipv4-psk-ikev2": reviving connection which delete Child SA but must remain up per local policy (serial $1)
"westnet-eastnet-ipv4-psk-ikev2" #13: initiating IKEv2 connection to 192.1.2.23 using UDP
"westnet-eastnet-ipv4-psk-ikev2" #13: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"westnet-eastnet-ipv4-psk-ikev2" #13: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}, initiating IKE_AUTH
"westnet-eastnet-ipv4-psk-ikev2" #13: sent IKE_AUTH request to 192.1.2.23:UDP/500 with shared-key-mac and FQDN '@west'; Child SA #14 {ESP <0xESPESP}
"westnet-eastnet-ipv4-psk-ikev2" #13: initiator established IKE SA; authenticated peer using authby=secret and FQDN '@east'
"westnet-eastnet-ipv4-psk-ikev2" #13: IKE_AUTH response redirects to new gateway 192.1.3.33
"westnet-eastnet-ipv4-psk-ikev2" #14: scheduling redirect 1 to 192.1.3.33
"westnet-eastnet-ipv4-psk-ikev2" #14: IMPAIR: redirect: skip scheduling redirect event
"westnet-eastnet-ipv4-psk-ikev2" #13: deleting IKE SA (established IKE SA)
west #
 echo done
done
west #
 sleep 2
west #
 ipsec _kernel state
west #
 ipsec _kernel policy
west #
 # confirm east is in unrouted state again
west #
 hostname | grep east > /dev/null && ipsec status | grep "[.][.][.]"
west #
