/testing/guestbin/swan-prep
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# ipsec start
/usr/bin/nsenter --mount=/run/mountns/west-ikev2-expire-02-packets --net=/run/netns/west-ikev2-expire-02-packets --uts=/run/utsns/west-ikev2-expire-02-packets /bin/bash
Redirecting to: namespaces direct start via ipsec pluto
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# ../../guestbin/wait-until-pluto-started
==== cut ====
000   PID  Process
addconn exited
==== tuc ====
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# ipsec auto --add west
002 "west": added IKEv2 connection
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# # confirm max packets for IPsec SA is set
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# ipsec status |grep ipsec_max_packets
000 "west":   ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 16EiB; ipsec_max_packets: 20; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# echo "initdone"
initdone
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# ipsec auto --up west
181 "west" #1: initiating IKEv2 connection
181 "west" #1: sent IKE_SA_INIT request
182 "west" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}
003 "west" #1: initiator established IKE SA; authenticated using authby=secret and peer ID_FQDN '@east'
002 "west" #2: route-client output: Error: Peer netns reference is invalid.
004 "west" #2: initiator established Child SA using #1; IPsec tunnel [192.0.1.0-192.0.1.255:0-65535 0] === [192.0.2.0-192.0.2.255:0-65535 0] {ESP/ESN=>0x75cd8d5e <0xbba19740 xfrm=AES_GCM_16_256-NONE DPD=passive}
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# # pings will not trigger rekey
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# ping -n -q -c 16 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.

--- 192.0.2.254 ping statistics ---
16 packets transmitted, 16 received, 0% packet loss, time 15342ms
rtt min/avg/max/mdev = 0.149/0.155/0.160/0.002 ms
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# # expect #2 IPsec original Child SA
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# ipsec trafficstatus
006 #2: "west", type=ESP, add_time=1656567668, inBytes=1344, outBytes=1344, maxBytes=16EiB, id='@east'
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# # next pings will go over and initiate a rekey
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# ping -n -q -c 8 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.

--- 192.0.2.254 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 7196ms
rtt min/avg/max/mdev = 0.126/0.153/0.165/0.010 ms
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# sleep 5
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# # expect only #3 IPsec first rekeyed Child SA
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# ipsec trafficstatus
006 #3: "west", type=ESP, add_time=0, inBytes=504, outBytes=504, maxBytes=16EiB, id='@east'
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# ping -n -q -c 10 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.

--- 192.0.2.254 ping statistics ---
10 packets transmitted, 10 received, 0% packet loss, time 9234ms
rtt min/avg/max/mdev = 0.082/0.157/0.200/0.029 ms
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# sleep 5
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# # expect only #4 IPsec second rekeyed Child SA
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# ipsec trafficstatus
006 #3: "west", type=ESP, add_time=1656567684, inBytes=1344, outBytes=1344, maxBytes=16EiB, id='@east'
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# echo done
done
]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# ../../guestbin/ipsec-look.sh
==== cut ====
DUMP IN: OUTPUT/west.ipsec-look.3241449.log
==== tuc ====
west Thu Jun 30 05:41:51 UTC 2022
XFRM state:
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xeca4e4e8 reqid 16389 mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0x6cd282b89d9389ba6eaa78faf371040472a688e3714d6a6f7f72945ae55ffdc86c7e51b1 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0x10, oseq-hi 0x0, oseq 0x0
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 0000ffff 
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xff4fa3a4 reqid 16389 mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xa8a0cdfef81200f171aef6d4f48e90faca412a116be228e4ff214769d1512a660066b2c5 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x10
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 00000000 
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0x75cd8d5e reqid 16389 mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xd0f5843a371c4953068c882fa31eecd1aff1c6363ca7afc5f4d35b2eb69ccc74bc176d28 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0x0, oseq-hi 0x0, oseq 0x12
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 00000000 
XFRM policy:
src 192.0.1.0/24 dst 192.0.2.0/24
	dir out priority 1757393 ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid 16389 mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir fwd priority 1757393 ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid 16389 mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir in priority 1757393 ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid 16389 mode tunnel
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
NSS_CERTIFICATES

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

]0;root@swantest:/home/build/libreswan/testing/pluto/ikev2-expire-02-packets[root@west ikev2-expire-02-packets]# >>>>>>>>>>cut>>>>>>>>>> done <<<<<<<<<<tuc<<<<<<<<<<