testing: Added test cases for RFC 7427 functionality and interop

Test cases with impairments are added to test interoperability with clients that do not support RFC 7427
sahanaprasad07 · Aug 28, 2017 · fb50a26 · fb50a26
1 parent 81c7cf0
commit fb50a26
Show file tree

Hide file tree

Showing 48 changed files with 961 additions and 40 deletions.
diff --git a/testing/pluto/TESTLIST b/testing/pluto/TESTLIST
@@ -811,6 +811,7 @@ kvmplutotest	interop-ikev1-strongswan-08-strongswan-cast	good
 kvmplutotest    interop-ikev2-strongswan-02-psk-responder	good
 kvmplutotest    interop-ikev2-strongswan-03-psk-initiator	good
 kvmplutotest    interop-ikev2-strongswan-04-x509-responder	good
+kvmplutotest    interop-ikev2-strongswan-04-responder-impair	good
 kvmplutotest	interop-ikev2-strongswan-05-psk-aes		good
 kvmplutotest	interop-ikev2-strongswan-05-psk-md5		good
 kvmplutotest	interop-ikev2-strongswan-06-aes192		good
@@ -842,6 +843,8 @@ kvmplutotest	interop-ikev2-strongswan-35-rekey-pfs		good
 kvmplutotest	interop-ikev2-strongswan-35-rekey-reauth	good
 kvmplutotest	interop-ikev2-strongswan-35-responder-rekey-pfs good
 kvmplutotest	interop-ikev2-strongswan-36-esp-gmac-responder	good
+kvmplutotest	interop-ikev2-strongswan-37-initiator-digsig	good
+kvmplutotest	interop-ikev2-strongswan-38-digsig-impair	good
 
 #################################################################
 # DNSSEC tests

diff --git a/testing/pluto/certoe-10-symetric-cert-whack/east.console.txt b/testing/pluto/certoe-10-symetric-cert-whack/east.console.txt
@@ -31,13 +31,14 @@ east #
  grep "negotiated connection" /tmp/pluto.log
 "clear-or-private#192.1.3.0/24"[1] ...192.1.3.209 #2: negotiated connection [192.1.2.23-192.1.2.23:0-65535 0] -> [192.1.3.209-192.1.3.209:0-65535 0]
 east #
- # you should see only RSA
+ # you should see only Digital Signatures which supports only RSA now
 east #
  grep IKEv2_AUTH_ OUTPUT/*pluto.log
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/east.pluto.log:| clear-or-private#192.1.3.0/24 #1 not fetching ipseckey that end rsasigkey != %dnsondemand  can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_DER_ASN1_DN IKEv2_AUTH_DIGSIG remote=192.1.3.209 thatid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
 east #
 east #
  ../bin/check-for-core.sh

diff --git a/testing/pluto/certoe-10-symetric-cert-whack/final.sh b/testing/pluto/certoe-10-symetric-cert-whack/final.sh
@@ -1,7 +1,7 @@
 # A tunnel should have established with non-zero byte counters
 ipsec whack --trafficstatus 
 grep "negotiated connection" /tmp/pluto.log
-# you should see only RSA
+# you should see only Digital Signatures which supports only RSA now
 grep IKEv2_AUTH_ OUTPUT/*pluto.log 
 : ==== cut ====
 ipsec auto --status

diff --git a/testing/pluto/certoe-10-symetric-cert-whack/nic.console.txt b/testing/pluto/certoe-10-symetric-cert-whack/nic.console.txt
@@ -10,13 +10,14 @@ nic #
  grep "negotiated connection" /tmp/pluto.log
 grep: /tmp/pluto.log: No such file or directory
 nic #
- # you should see only RSA
+ # you should see only Digital Signatures which supports only RSA now
 nic #
  grep IKEv2_AUTH_ OUTPUT/*pluto.log
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/east.pluto.log:| clear-or-private#192.1.3.0/24 #1 not fetching ipseckey that end rsasigkey != %dnsondemand  can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_DER_ASN1_DN IKEv2_AUTH_DIGSIG remote=192.1.3.209 thatid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
 nic #
 nic #
  ../bin/check-for-core.sh

diff --git a/testing/pluto/certoe-10-symetric-cert-whack/road.console.txt b/testing/pluto/certoe-10-symetric-cert-whack/road.console.txt
@@ -146,13 +146,14 @@ road #
  grep "negotiated connection" /tmp/pluto.log
 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: negotiated connection [192.1.3.209-192.1.3.209:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
 road #
- # you should see only RSA
+ # you should see only Digital Signatures which supports only RSA now
 road #
  grep IKEv2_AUTH_ OUTPUT/*pluto.log
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/east.pluto.log:| clear-or-private#192.1.3.0/24 #1 not fetching ipseckey that end rsasigkey != %dnsondemand  can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_DER_ASN1_DN IKEv2_AUTH_DIGSIG remote=192.1.3.209 thatid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
 road #
 road #
  ../bin/check-for-core.sh

diff --git a/testing/pluto/certoe-11-symetric-cert-nat/east.console.txt b/testing/pluto/certoe-11-symetric-cert-nat/east.console.txt
@@ -31,13 +31,14 @@ east #
  grep "negotiated connection" /tmp/pluto.log
 "clear-or-private#192.1.2.254/32"[1] ...192.1.2.254===10.0.10.1/32 #2: negotiated connection [192.1.2.23-192.1.2.23:0-65535 0] -> [10.0.10.1-10.0.10.1:0-65535 0]
 east #
- # you should see only RSA
+ # you should see only Digital Signatures that currently only supports RSA
 east #
  grep IKEv2_AUTH_ OUTPUT/*pluto.log
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/east.pluto.log:| clear-or-private#192.1.2.254/32 #1 not fetching ipseckey that end rsasigkey != %dnsondemand  can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_DER_ASN1_DN IKEv2_AUTH_DIGSIG remote=192.1.2.254 thatid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
 east #
 east #
  ../bin/check-for-core.sh

diff --git a/testing/pluto/certoe-11-symetric-cert-nat/final.sh b/testing/pluto/certoe-11-symetric-cert-nat/final.sh
@@ -1,7 +1,7 @@
 # A tunnel should have established with non-zero byte counters
 ipsec whack --trafficstatus 
 grep "negotiated connection" /tmp/pluto.log
-# you should see only RSA
+# you should see only Digital Signatures that currently only supports RSA
 grep IKEv2_AUTH_ OUTPUT/*pluto.log 
 : ==== cut ====
 ipsec auto --status

diff --git a/testing/pluto/certoe-11-symetric-cert-nat/nic.console.txt b/testing/pluto/certoe-11-symetric-cert-nat/nic.console.txt
@@ -20,13 +20,14 @@ nic #
  grep "negotiated connection" /tmp/pluto.log
 grep: /tmp/pluto.log: No such file or directory
 nic #
- # you should see only RSA
+ # you should see only Digital Signatures that currently only supports RSA
 nic #
  grep IKEv2_AUTH_ OUTPUT/*pluto.log
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/east.pluto.log:| clear-or-private#192.1.2.254/32 #1 not fetching ipseckey that end rsasigkey != %dnsondemand  can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_DER_ASN1_DN IKEv2_AUTH_DIGSIG remote=192.1.2.254 thatid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
 nic #
 nic #
  ../bin/check-for-core.sh

diff --git a/testing/pluto/certoe-11-symetric-cert-nat/road.console.txt b/testing/pluto/certoe-11-symetric-cert-nat/road.console.txt
@@ -129,13 +129,14 @@ road #
  grep "negotiated connection" /tmp/pluto.log
 "private-or-clear#192.1.2.0/24"[1] 10.0.10.1/32=== ...192.1.2.23 #2: negotiated connection [10.0.10.1-10.0.10.1:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
 road #
- # you should see only RSA
+ # you should see only Digital Signatures that currently only supports RSA
 road #
  grep IKEv2_AUTH_ OUTPUT/*pluto.log
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/east.pluto.log:| clear-or-private#192.1.2.254/32 #1 not fetching ipseckey that end rsasigkey != %dnsondemand  can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_DER_ASN1_DN IKEv2_AUTH_DIGSIG remote=192.1.2.254 thatid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/road.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
 road #
 road #
  ../bin/check-for-core.sh

diff --git a/testing/pluto/ikev2-asymmetric-15-rsaraw-rsaraw/east.console.txt b/testing/pluto/ikev2-asymmetric-15-rsaraw-rsaraw/east.console.txt
@@ -30,10 +30,11 @@ east #
 initdone
 east #
  grep IKEv2_AUTH_ OUTPUT/*pluto.log
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/west.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/west.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/east.pluto.log:| westnet-eastnet-ikev2 #1 not fetching ipseckey that end rsasigkey != %dnsondemand initiator IKEv2 Auth Method is not IKEv2_AUTH_RSA,  IKEv2_AUTH_DIGSIG remote=192.1.2.45 thatid=@west
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/west.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/west.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
 east #
 east #
  ../bin/check-for-core.sh

diff --git a/testing/pluto/ikev2-asymmetric-15-rsaraw-rsaraw/west.console.txt b/testing/pluto/ikev2-asymmetric-15-rsaraw-rsaraw/west.console.txt
@@ -77,10 +77,11 @@ west #
 done
 west #
  grep IKEv2_AUTH_ OUTPUT/*pluto.log
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/west.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
-OUTPUT/west.pluto.log:|    auth method: IKEv2_AUTH_RSA (0x1)
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/east.pluto.log:| westnet-eastnet-ikev2 #1 not fetching ipseckey that end rsasigkey != %dnsondemand initiator IKEv2 Auth Method is not IKEv2_AUTH_RSA,  IKEv2_AUTH_DIGSIG remote=192.1.2.45 thatid=@west
+OUTPUT/east.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/west.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
+OUTPUT/west.pluto.log:|    auth method: IKEv2_AUTH_DIGSIG (0xe)
 west #
 west #
  ../bin/check-for-core.sh

diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/description.txt b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/description.txt
@@ -0,0 +1,11 @@
+RFC 7427 :
+Basic pluto with IKEv2 using X.509 on the initiator (west), and Strongswan on
+the responder (east) with impair.
+
+Impairment is introduced in such a way that , the Signature hash notification is
+not sent. Therefore Authentication method is no longer Digital Signature , but RSA (legacy)
+
+This case is to be sure that libreswan without Digital Signatures(RFC 7427) ie an older version
+can still interop with Strongwan (with Digital Signature implemented)
+
+
diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.conf b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.conf
@@ -0,0 +1,27 @@
+# /etc/ipsec.conf - Strongswan IPsec configuration file
+
+config setup
+	# setup items now go into strongswan.conf for version 5+
+
+conn westnet-eastnet-ikev2
+	authby=rsasig
+	#auto=start
+	left=192.1.2.45
+	leftsubnet=192.0.1.0/24
+	leftrsasigkey=%cert
+	leftcert=/etc/strongswan/ipsec.d/certs/west.crt
+	leftsendcert=never
+	leftid="C=CA, ST=Ontario, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=testing.libreswan.org"
+	right=192.1.2.23
+	rightsubnet=192.0.2.0/24
+	rightrsasigkey=%cert
+	rightcert=/etc/strongswan/ipsec.d/certs/east.crt
+	rightsendcert=never
+	rightid="C=CA/ST=Ontario/O=Libreswan/OU=Test Department/CN=east.testing.libreswan.org/E=testing.libreswan.org"
+	# strongswan options
+	keyexchange=ikev2
+	auto=add
+	fragmentation=yes
+
+#strongswan cannot include this, due to incompatible options
+#include	/testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common
diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.console.txt b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.console.txt
@@ -0,0 +1,22 @@
+setenforce 0
+east #
+ /testing/guestbin/swan-prep --userland strongswan --x509
+east #
+ ../../pluto/bin/strongswan-start.sh
+east #
+ echo "initdone"
+initdone
+east #
+ if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi
+east #
+ if [ -f /var/run/charon.pid ]; then strongswan status ; fi
+Security Associations (1 up, 0 connecting):
+westnet-eastnet-ikev2[2]: ESTABLISHED XXX second ago, 192.1.2.23[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]...192.1.2.45[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org]
+westnet-eastnet-ikev2{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o
+westnet-eastnet-ikev2{1}:   192.0.2.0/24 === 192.0.1.0/24
+east #
+east #
+ ../bin/check-for-core.sh
+east #
+ if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
+
diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.secrets b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/east.secrets
@@ -0,0 +1 @@
+: RSA /etc/strongswan/ipsec.d/private/east.key "foobar"
diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/eastinit.sh b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/eastinit.sh
@@ -0,0 +1,4 @@
+setenforce 0
+/testing/guestbin/swan-prep --userland strongswan --x509
+../../pluto/bin/strongswan-start.sh
+echo "initdone"
diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/eaststrongswan.conf b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/eaststrongswan.conf
@@ -0,0 +1,39 @@
+# strongswan.conf - strongSwan configuration file
+
+charon {
+
+    # number of worker threads in charon
+    threads = 16
+
+    # send strongswan vendor ID?
+    # send_vendor_id = yes
+
+    plugins {
+
+    }
+
+    filelog {
+       /tmp/charon.log {
+	  time_format = %b %e %T
+	  append = no
+	  default = 4
+       }
+       stderr {
+	  ike = 4
+	  knl = 4
+	  ike_name = yes
+       }
+    }
+
+
+}
+
+pluto {
+
+}
+
+libstrongswan {
+
+    #  set to no, the DH exponent size is optimized
+    #  dh_exponent_ansi_x9_42 = no
+}
diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/final.sh b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/final.sh
@@ -0,0 +1,9 @@
+if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi
+if [ -f /var/run/charon.pid ]; then strongswan status ; fi
+: ==== cut ====
+if [ -f /var/run/pluto/pluto.pid ]; then ipsec auto --status ; fi
+if [ -f /var/run/charon.pid ]; then strongswan statusall ; fi
+: ==== tuc ====
+../bin/check-for-core.sh
+if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
+: ==== end ====
diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/testparams.sh b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/testparams.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+. ../../default-testparams.sh
+EAST_CONSOLE_FIXUPS="$REF_CONSOLE_FIXUPS strongswan.sed"
diff --git a/testing/pluto/interop-ikev2-strongswan-04-responder-impair/west.conf b/testing/pluto/interop-ikev2-strongswan-04-responder-impair/west.conf
@@ -0,0 +1,25 @@
+# /etc/ipsec.conf - Libreswan IPsec configuration file
+
+version 2.0
+
+config setup
+	# put the logs in /tmp for the UMLs, so that we can operate
+	# without syslogd, which seems to break on UMLs
+	logfile=/tmp/pluto.log
+	logtime=no
+	logappend=no
+	plutodebug=all
+	plutorestartoncrash=false
+	dumpdir=/tmp
+	protostack=netkey
+
+conn westnet-eastnet-ikev2
+	also=slow-retransmits
+	also=westnet-eastnet-x509
+	ikev2=insist
+	authby=rsasig
+	leftsendcert=always
+	rightsendcert=never
+
+
+include	/testing/baseconfigs/all/etc/ipsec.d/ipsec.conf.common