[root@west ]# # confirm that the network is alive
[root@west ]# ping -n -c 4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
64 bytes from 192.0.2.254: icmp_req=1 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_req=2 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_req=3 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_req=4 ttl=64 time=0.XXX ms
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
[root@west ]# # make sure that clear text does not get through
[root@west ]# iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP
[root@west ]# # confirm with a ping to east-in
[root@west ]# ping -n -c 4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=1 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=2 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=3 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=4 
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time XXXX
[root@west ]# ipsec _stackmanager start
[ 00.00] NET: Registered protocol family 15
[root@west ]# /usr/local/libexec/ipsec/pluto --config /etc/ipsec.conf
[root@west ]# /testing/pluto/bin/wait-until-pluto-started
[ 00.00] alg: No test for cipher_null (cipher_null-generic)
[ 00.00] alg: No test for ecb(cipher_null) (ecb-cipher_null)
[ 00.00] alg: No test for digest_null (digest_null-generic)
[ 00.00] alg: No test for compress_null (compress_null-generic)
[root@west ]# ipsec auto --add westnet-eastnet-compress
[root@west ]# ipsec auto --status
000 using kernel interface: netkey
000 interface eth2/eth2 2001:db8:9:4::45
000 interface eth1/eth1 2001:db8:1:2::45
000 interface eth0/eth0 2001:db8:0:1::254
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.0.1.254
000 interface eth1/eth1 192.1.2.45
000 interface eth2/eth2 192.9.4.45
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle+klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
000  
000 virtual_private (%priv):
000 - allowed 0 subnets: 
000 - disallowed 0 subnets: 
000 WARNING: Either virtual_private= is not specified, or there is a syntax 
000          error in that line. 'left/rightsubnet=vhost:%priv' will not work!
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 
000          private address space in internal use, it should be excluded!
000  
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=12, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=16, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0
000  
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=5, name=OAKLEY_SHA2_384, hashsize=48
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000  
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
000  
000 "westnet-eastnet-compress": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24; unrouted; eroute owner: #0
000 "westnet-eastnet-compress":     oriented; my_ip=unset; their_ip=unset;
000 "westnet-eastnet-compress":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]; ;
000 "westnet-eastnet-compress":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset;
000 "westnet-eastnet-compress":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "westnet-eastnet-compress":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+IKEv2ALLOW+SAREFTRACK+IKE_FRAG; 
000 "westnet-eastnet-compress":   prio: 24,24; interface: eth1; metric: 0, mtu: unset;
000 "westnet-eastnet-compress":   dpd: action:clear; delay:0; timeout:0;  
000 "westnet-eastnet-compress":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000  
000  
[root@west ]# echo "initdone"
initdone
[root@west ]# ipsec auto --up  westnet-eastnet-compress
104 "westnet-eastnet-compress" #1: STATE_MAIN_I1: initiate
003 "westnet-eastnet-compress" #1: received Vendor ID payload [Libreswan 
003 "westnet-eastnet-compress" #1: received Vendor ID payload [Dead Peer Detection]
106 "westnet-eastnet-compress" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "westnet-eastnet-compress" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "westnet-eastnet-compress" #1: received Vendor ID payload [CAN-IKEv2]
004 "westnet-eastnet-compress" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=aes_128 prf=oakley_sha group=modp2048}
117 "westnet-eastnet-compress" #2: STATE_QUICK_I1: initiate
[ 00.00] alg: No test for authenc(hmac(sha1),cbc(aes)) (authenc(hmac(sha1-generic),cbc(aes-asm)))
004 "westnet-eastnet-compress" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
[root@west ]# ping -n -c 4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.

THIS IS A BUG!

[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=1 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=2 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=3 
[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=4 
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time XXXX
[root@west ]# ip xfrm state
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0x6ca3e920 reqid 16385 mode transport

TRANSPORT MODE IS A BUG

	replay-window 32 
	auth-trunc hmac(sha1) 0xa17a3e0c4ffe46d53a34e5f43ffa5e578763c288 96
	enc cbc(aes) 0xdc05f32b4a5da94d81500c26408dca52
	sel src 192.0.2.0/24 dst 192.0.1.0/24 
src 192.1.2.23 dst 192.1.2.45
	proto comp spi 0x000007eb reqid 16386 mode tunnel
	replay-window 0 flag af-unspec
	comp deflate 0x
src 192.1.2.23 dst 192.1.2.45
	proto 4 spi 0xc0010217 reqid 0 mode tunnel
	replay-window 0 flag af-unspec
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xfa7e0ace reqid 16385 mode transport

TRANSPORT MODE IS A BUG

	replay-window 32 
	auth-trunc hmac(sha1) 0x5752270fe95ab0d7110d9711323274f90359160c 96
	enc cbc(aes) 0x350d47d930509f76f05f3d4447795454
	sel src 192.0.1.0/24 dst 192.0.2.0/24 
src 192.1.2.45 dst 192.1.2.23
	proto comp spi 0x00005235 reqid 16386 mode tunnel
	replay-window 0 flag af-unspec
	comp deflate 0x
src 192.1.2.45 dst 192.1.2.23
	proto 4 spi 0xc001022d reqid 0 mode tunnel
	replay-window 0 flag af-unspec
[root@west ]# ip xfrm policy
src 192.0.1.0/24 dst 192.0.2.0/24 
	dir out priority 2344 ptype main 
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto comp reqid 16386 mode tunnel
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 16385 mode transport
src 192.0.2.0/24 dst 192.0.1.0/24 
	dir fwd priority 2344 ptype main 
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto comp reqid 16386 mode tunnel
		level use 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 16385 mode transport
src 192.0.2.0/24 dst 192.0.1.0/24 
	dir in priority 2344 ptype main 
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto comp reqid 16386 mode tunnel
		level use 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 16385 mode transport
src ::/0 dst ::/0 
	socket out priority 0 ptype main 
src ::/0 dst ::/0 
	socket in priority 0 ptype main 
src ::/0 dst ::/0 
	socket out priority 0 ptype main 
src ::/0 dst ::/0 
	socket in priority 0 ptype main 
src ::/0 dst ::/0 
	socket out priority 0 ptype main 
src ::/0 dst ::/0 
	socket in priority 0 ptype main 
src ::/0 dst ::/0 
	socket out priority 0 ptype main 
src ::/0 dst ::/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
[root@west ]# echo done
done
[root@west ]# if [ -f /tmp/core ]; then echo CORE FOUND; mv /tmp/core ./; fi

