/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
east #
 ipsec start
Redirecting to: [initsystem]
east #
 ../../guestbin/wait-until-pluto-started
east #
 ipsec auto --add east
"east": added IKEv2 connection
east #
 echo "initdone"
initdone
east #
 ipsec _kernel state
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 0 flag esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 0, bitmap-length 0
	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 192.1.2.23 dst 192.1.2.45
	proto comp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec
	comp deflate 
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 0 flag esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 192.1.2.45 dst 192.1.2.23
	proto comp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec
	comp deflate 
src 192.1.2.23 dst 192.1.2.45
	proto 4 spi 0xSPISPI reqid 0 mode tunnel
	replay-window 0 flag af-unspec
src 192.1.2.45 dst 192.1.2.23
	proto 4 spi 0xSPISPI reqid 0 mode tunnel
	replay-window 0 flag af-unspec
	lastused YYYY-MM-DD HH:MM:SS
east #
 ipsec _kernel policy
src 192.0.1.0/24 dst 192.0.2.0/24
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto comp reqid REQID mode tunnel
		level use
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 192.0.1.0/24 dst 192.0.2.0/24
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto comp reqid REQID mode tunnel
		level use
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 192.0.2.0/24 dst 192.0.1.0/24
	dir out priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto comp reqid REQID mode tunnel
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
east #
 # should match only on west, exactly twice
east #
 grep "initiating rekey to replace Child SA" OUTPUT/$(hostname).pluto.log
east #
 # should be absent
east #
 grep "initiating Child SA using IKE SA" OUTPUT/$(hostname).pluto.log || echo "success"
success
east #
 # should hit twice on west only
east #
 grep "received .* EXPIRE " OUTPUT/$(hostname).pluto.log | sed 's/for SPI 0x.*$/for SPI .../'
east #
