PRE-TEST

moon# systemctl start strongswan

carol# systemctl start strongswan

moon# expect-connection rw

carol# expect-connection home

carol# swanctl --initiate --child alice 2> /dev/null
[IKE] initiating IKE_SA home[1] to 192.168.0.1
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (272 bytes)
[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (325 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[IKE] received 1 cert requests for an unknown ca
[IKE] sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[IKE] authentication of 'carol@strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] sending end entity cert "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
[IKE] establishing CHILD_SA alice{1}
[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[ENC] splitting IKE message (1920 bytes) into 2 fragments
[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (1236 bytes)
[NET] sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500] (756 bytes)
[NET] received packet: from 192.168.0.1[4500] to 192.168.0.100[4500] (80 bytes)
[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
[IKE] received AUTHENTICATION_FAILED notify error


TEST

moon# cat /var/log/daemon.log | grep 'constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD' [YES]
Mar 10 19:37:10 moon charon-systemd: 04[CFG] constraint check failed: RULE_CRL_VALIDATION is FAILED, but requires at least GOOD

carol# cat /var/log/daemon.log | grep 'received AUTHENTICATION_FAILED notify error' [YES]
Mar 10 19:37:11 carol charon-systemd: 08[IKE] received AUTHENTICATION_FAILED notify error

moon# swanctl --list-sas --raw 2> /dev/null | grep 'rw.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED' [NO]

carol# swanctl --list-sas --raw 2> /dev/null | grep 'home.*state=ESTABLISHED.*child-sas.*alice.*state=INSTALLED' [NO]


POST-TEST

carol# systemctl stop strongswan

moon# systemctl stop strongswan

moon# rm /etc/swanctl/x509ca/*