/testing/guestbin/swan-prep
west #
 # confirm that the network is alive
west #
 ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP
west #
 iptables -A INPUT -i eth1 -s 10.0.2.0/24 -j LOGDROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm with a ping
west #
 ping -n -c 4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=1 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=2 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=3 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=4 
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time XXXX
west #
 ip addr add 10.0.1.254 dev eth0
west #
 ipsec start
Redirecting to: systemctl start ipsec.service
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 ipsec auto --add westnet-eastnet-vti-01
002 added connection description "westnet-eastnet-vti-01"
west #
 ipsec auto --add westnet-eastnet-vti-02
002 added connection description "westnet-eastnet-vti-02"
west #
 # remove the regular route for 192.0.2.0/24
west #
 ip route del 192.0.2.0/24
west #
 echo "initdone"
initdone
west #
 ipsec auto --up  westnet-eastnet-vti-01
002 "westnet-eastnet-vti-01" #1: initiating Main Mode
104 "westnet-eastnet-vti-01" #1: STATE_MAIN_I1: initiate
106 "westnet-eastnet-vti-01" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "westnet-eastnet-vti-01" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "westnet-eastnet-vti-01" #1: Peer ID is ID_FQDN: '@east'
003 "westnet-eastnet-vti-01" #1: Authenticated using RSA
004 "westnet-eastnet-vti-01" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=aes_256 integ=sha2_256 group=MODP2048}
002 "westnet-eastnet-vti-01" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
117 "westnet-eastnet-vti-01" #2: STATE_QUICK_I1: initiate
004 "westnet-eastnet-vti-01" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
west #
 ipsec auto --up  westnet-eastnet-vti-02
002 "westnet-eastnet-vti-02" #3: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
117 "westnet-eastnet-vti-02" #3: STATE_QUICK_I1: initiate
004 "westnet-eastnet-vti-02" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
west #
 ip tunnel add west-east mode vti remote 192.1.2.23 local 192.1.2.45 ikey 20 okey 21
west #
 ip link set west-east up
west #
 sysctl -w net.ipv4.conf.west-east.disable_policy=1
net.ipv4.conf.west-east.disable_policy = 1
west #
 sysctl -w net.ipv4.conf.west-east.rp_filter=0
net.ipv4.conf.west-east.rp_filter = 0
west #
 sysctl -w net.ipv4.conf.west-east.forwarding=1
net.ipv4.conf.west-east.forwarding = 1
west #
 ip route add 192.0.2.0/24 dev west-east
west #
 ip route add 10.0.2.0/24 dev west-east
west #
 ping -n -c 4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 ping -n -c 4 -I 10.0.1.254 10.0.2.254
PING 10.0.2.254 (10.0.2.254) from 10.0.1.254 : 56(84) bytes of data.
64 bytes from 10.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms
64 bytes from 10.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms
64 bytes from 10.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms
64 bytes from 10.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms
--- 10.0.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 ipsec whack --trafficstatus
006 #2: "westnet-eastnet-vti-01", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@east'
006 #3: "westnet-eastnet-vti-02", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@east'
west #
 echo done
done
west #
 grep -v -P "\t0$" /proc/net/xfrm_stat
west #
 ../../pluto/bin/ipsec-look.sh
west NOW
XFRM state:
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
XFRM policy:
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 10.0.1.0/24 dst 10.0.2.0/24
	dir out priority 1042407 ptype main
	mark 21/0xffffffff
src 10.0.2.0/24 dst 10.0.1.0/24
	dir fwd priority 1042407 ptype main
	mark 20/0xffffffff
src 10.0.2.0/24 dst 10.0.1.0/24
	dir in priority 1042407 ptype main
	mark 20/0xffffffff
src 192.0.1.0/24 dst 192.0.2.0/24
	dir out priority 1042407 ptype main
	mark 21/0xffffffff
src 192.0.2.0/24 dst 192.0.1.0/24
	dir fwd priority 1042407 ptype main
	mark 20/0xffffffff
src 192.0.2.0/24 dst 192.0.1.0/24
	dir in priority 1042407 ptype main
	mark 20/0xffffffff
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.2.254 dev eth1 
10.0.2.0/24 dev west-east  scope link 
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 
192.0.2.0/24 dev west-east  scope link 
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 
192.9.4.0/24 dev eth2 proto kernel scope link src 192.9.4.45 
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west #
west #
 ../bin/check-for-core.sh
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

