/testing/guestbin/swan-prep
west #
 # confirm that the network is alive
west #
 ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP
west #
 # confirm with a ping
west #
 ping -n -c 4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=1 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=2 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=3 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=4 
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time XXXX
west #
 # adding some routes to sow confusion on purpose
west #
 ip route add 192.168.1.1 via 192.0.1.254 dev eth0
west #
 ip route add 192.168.1.2 via 192.1.2.45 dev eth1
west #
 ip route add 192.168.1.16/28 via 192.1.2.45 dev eth1
west #
 ip route add 25.1.0.0/16 via 192.0.1.254
west #
 ip route add 25.2.0.0/16 via 192.1.2.45
west #
 ipsec start
[ 00.00] registered KLIPS /proc/sys/net
[ 00.00] ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=12 name=cbc(aes) keyminbits=128 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=253 name=cbc(twofish) keyminbits=128 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=252 name=cbc(serpent) keyminbits=128 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=6 name=cbc(cast5) keyminbits=128 keymaxbits=128, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=3 name=cbc(des3_ede) keyminbits=192 keymaxbits=192, found(0)
[ 00.00] KLIPS: lookup for ciphername=cipher_null: not found
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=2 name=hmac(md5) ctx_size=88 keyminbits=128 keymaxbits=128, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=3 name=hmac(sha1) ctx_size=88 keyminbits=160 keymaxbits=160, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=5 name=hmac(sha256) ctx_size=88 keyminbits=256 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=6 name=hmac(sha384) ctx_size=88 keyminbits=384 keymaxbits=384, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=7 name=hmac(sha512) ctx_size=88 keyminbits=512 keymaxbits=512, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=252 name=hmac(sha256) ctx_size=88 keyminbits=256 keymaxbits=256, found(0)
[ 00.00] 
Redirecting to: systemctl start ipsec.service
[ 00.00] 
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 ipsec auto --add westnet-all
002 added connection description "westnet-all"
west #
 ip route list
default via 192.1.2.254 dev eth1 
25.1.0.0/16 via 192.0.1.254 dev eth0 
25.2.0.0/16 via 192.1.2.45 dev eth1 
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 
192.0.2.0/24 via 192.1.2.23 dev eth1 
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 
192.9.4.0/24 dev eth2 proto kernel scope link src 192.9.4.45 
192.168.1.1 via 192.0.1.254 dev eth0 
192.168.1.2 via 192.1.2.45 dev eth1 
192.168.1.16/28 via 192.1.2.45 dev eth1 
west #
 for i in `seq 1 12`; do ipsec auto --add orient$i; done
002 added connection description "orient1"
002 added connection description "orient2"
002 added connection description "orient3"
002 added connection description "orient4"
002 added connection description "orient5"
002 added connection description "orient6"
002 added connection description "orient7"
002 added connection description "orient8"
002 added connection description "orient9"
002 added connection description "orient10"
002 added connection description "orient11"
002 added connection description "orient12"
west #
 ipsec auto --status |grep orient |grep "eroute owner"
000 "orient1": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0
000 "orient10": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient11": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient12": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient2": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0
000 "orient3": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0
000 "orient4": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0
000 "orient5": 192.1.2.45<192.1.2.45>...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient6": 192.1.2.45<192.1.2.45>---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient7": 192.1.2.45<192.1.2.45>---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient8": 192.1.2.45<192.1.2.45>...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient9": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
west #
 echo "initdone"
initdone
west #
 ipsec auto --up  westnet-all
002 "westnet-all" #1: initiating Main Mode
104 "westnet-all" #1: STATE_MAIN_I1: initiate
106 "westnet-all" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "westnet-all" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "westnet-all" #1: Peer ID is ID_FQDN: '@east'
004 "westnet-all" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=aes_256 integ=sha2_256 group=MODP2048}
002 "westnet-all" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
117 "westnet-all" #2: STATE_QUICK_I1: initiate
004 "westnet-all" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
west #
 ping -n -c 4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 ip route list
0.0.0.0/1 dev ipsec0  scope link 
default via 192.1.2.254 dev eth1 
25.1.0.0/16 via 192.0.1.254 dev eth0 
25.2.0.0/16 via 192.1.2.45 dev eth1 
128.0.0.0/1 dev ipsec0  scope link 
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 
192.0.2.0/24 via 192.1.2.23 dev eth1 
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 
192.9.4.0/24 dev eth2 proto kernel scope link src 192.9.4.45 
192.168.1.1 via 192.0.1.254 dev eth0 
192.168.1.2 via 192.1.2.45 dev eth1 
192.168.1.16/28 via 192.1.2.45 dev eth1 
west #
 # testing re-orienting
west #
 ipsec auto --replace westnet-all
002 "westnet-all": deleting non-instance connection
002 "westnet-all" #2: deleting state (STATE_QUICK_I2)
005 "westnet-all" #2: ESP traffic information: in=0B out=0B
002 "westnet-all" #1: deleting state (STATE_MAIN_I4)
002 added connection description "westnet-all"
west #
 ipsec auto --status |grep westnet
000 "westnet-all": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===0.0.0.0/0; unrouted; eroute owner: #0
000 "westnet-all":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "westnet-all":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "westnet-all":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "westnet-all":   labeled_ipsec:no;
000 "westnet-all":   policy_label:unset;
000 "westnet-all":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "westnet-all":   retransmit-interval: 9999ms; retransmit-timeout: 99s;
000 "westnet-all":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "westnet-all":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "westnet-all":   conn_prio: 24,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "westnet-all":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "westnet-all":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "westnet-all":   newest ISAKMP SA: #0; newest IPsec SA: #0;
west #
 echo done
done
west #
 ../../pluto/bin/ipsec-look.sh
west NOW
ipsec0->eth1 mtu=16260(9999)->1500
ROUTING TABLES
default via 192.1.2.254 dev eth1 
25.1.0.0/16 via 192.0.1.254 dev eth0 
25.2.0.0/16 via 192.1.2.45 dev eth1 
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 
192.0.2.0/24 via 192.1.2.23 dev eth1 
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 
192.9.4.0/24 dev eth2 proto kernel scope link src 192.9.4.45 
192.168.1.1 via 192.0.1.254 dev eth0 
192.168.1.2 via 192.1.2.45 dev eth1 
192.168.1.16/28 via 192.1.2.45 dev eth1 
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west #
west #
 ipsec whack --shutdown
002 shutting down
west #
 ../bin/check-for-core.sh
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

