/testing/guestbin/swan-prep
west #
 # confirm that the network is alive
west #
 ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # make sure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm with a ping
west #
 ping -n -c 4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=1 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=2 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=3 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=4 
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time XXXX
west #
 ipsec start
Redirecting to: systemctl start ipsec.service
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 ipsec auto --add westnet-eastnet-esp-3des-alg
002 added connection description "westnet-eastnet-esp-3des-alg"
west #
 ipsec auto --status | grep westnet-eastnet-esp-3des-alg
000 "westnet-eastnet-esp-3des-alg": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24; unrouted; eroute owner: #0
000 "westnet-eastnet-esp-3des-alg":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "westnet-eastnet-esp-3des-alg":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "westnet-eastnet-esp-3des-alg":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "westnet-eastnet-esp-3des-alg":   labeled_ipsec:no;
000 "westnet-eastnet-esp-3des-alg":   policy_label:unset;
000 "westnet-eastnet-esp-3des-alg":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "westnet-eastnet-esp-3des-alg":   retransmit-interval: 9999ms; retransmit-timeout: 99s;
000 "westnet-eastnet-esp-3des-alg":   sha2-truncbug:no; initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "westnet-eastnet-esp-3des-alg":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "westnet-eastnet-esp-3des-alg":   conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "westnet-eastnet-esp-3des-alg":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "westnet-eastnet-esp-3des-alg":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "westnet-eastnet-esp-3des-alg":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "westnet-eastnet-esp-3des-alg":   ESP algorithms: 3DES_CBC-HMAC_SHA1_96
west #
 echo "initdone"
initdone
west #
 ipsec auto --up  westnet-eastnet-esp-3des-alg
002 "westnet-eastnet-esp-3des-alg" #1: initiating Main Mode
104 "westnet-eastnet-esp-3des-alg" #1: STATE_MAIN_I1: initiate
106 "westnet-eastnet-esp-3des-alg" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "westnet-eastnet-esp-3des-alg" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "westnet-eastnet-esp-3des-alg" #1: Peer ID is ID_FQDN: '@east'
004 "westnet-eastnet-esp-3des-alg" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=aes_256 integ=sha group=MODP2048}
002 "westnet-eastnet-esp-3des-alg" #2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
117 "westnet-eastnet-esp-3des-alg" #2: STATE_QUICK_I1: initiate
004 "westnet-eastnet-esp-3des-alg" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=3DES_CBC_0-HMAC_SHA1_96 IPCOMP=>0xESPESP <0xESPESP NATOA=none NATD=none DPD=passive}
west #
 ping -n -c 4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 ipsec whack --trafficstatus
006 #2: "westnet-eastnet-esp-3des-alg", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@east'
west #
 echo done
done
west #
 ipsec look
west NOW
XFRM state:
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPIXX reqid REQID mode transport
	replay-window 32 
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(des3_ede) 0xENCKEY
	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 192.1.2.23 dst 192.1.2.45
	proto comp spi 0xSPISPIXX reqid REQID mode tunnel
	replay-window 0 flag af-unspec
	comp deflate 
src 192.1.2.23 dst 192.1.2.45
	proto 4 spi 0xSPISPIXX reqid REQID mode tunnel
	replay-window 0 flag af-unspec
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPIXX reqid REQID mode transport
	replay-window 32 
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(des3_ede) 0xENCKEY
	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 192.1.2.45 dst 192.1.2.23
	proto comp spi 0xSPISPIXX reqid REQID mode tunnel
	replay-window 0 flag af-unspec
	comp deflate 
src 192.1.2.45 dst 192.1.2.23
	proto 4 spi 0xSPISPIXX reqid REQID mode tunnel
	replay-window 0 flag af-unspec
XFRM policy:
src 192.0.1.0/24 dst 192.0.2.0/24 
	dir out priority 2344 ptype main 
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto comp reqid REQID mode tunnel
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 192.0.2.0/24 dst 192.0.1.0/24 
	dir fwd priority 2344 ptype main 
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto comp reqid REQID mode tunnel
		level use 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 192.0.2.0/24 dst 192.0.1.0/24 
	dir in priority 2344 ptype main 
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto comp reqid REQID mode tunnel
		level use 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.2.254 dev eth1 
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 
192.0.2.0/24 via 192.1.2.23 dev eth1 
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 
192.9.4.0/24 dev eth2 proto kernel scope link src 192.9.4.45 
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west #
west #
 ../bin/check-for-core.sh
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

