/testing/guestbin/swan-prep
west #
 # confirm that the network is alive
west #
 ../../guestbin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm clear text does not get through
west #
 ../../guestbin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 PATH/bin/pk12util -i /testing/x509/strongswan/strongWest.p12 -d sql:/etc/ipsec.d -w /testing/x509/nss-pw
pk12util: PKCS12 IMPORT SUCCESSFUL
west #
 # import for east should not be needed
west #
 PATH/bin/pk12util -i /testing/x509/strongswan/strongEast.p12 -d sql:/etc/ipsec.d -w /testing/x509/nss-pw
pk12util: PKCS12 IMPORT SUCCESSFUL
west #
 # Tuomo: why doesn't ipsec checknss --settrust work here?
west #
 certutil -M -d sql:/etc/ipsec.d -n "strongSwan CA - strongSwan" -t CT,,
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add westnet-eastnet-ikev2
002 "westnet-eastnet-ikev2": added IKEv2 connection
west #
 echo "initdone"
initdone
west #
 ipsec auto --up westnet-eastnet-ikev2
1v2 "westnet-eastnet-ikev2" #1: initiating IKEv2 connection
1v2 "westnet-eastnet-ikev2" #1: sent IKE_SA_INIT request
002 "westnet-eastnet-ikev2" #1: Received unauthenticated INVALID_KE_PAYLOAD response to DH MODP2048; resending with suggested DH DH19
1v2 "westnet-eastnet-ikev2" #1: sent IKE_SA_INIT request
1v2 "westnet-eastnet-ikev2" #1: sent IKE_AUTH request {cipher=AES_CBC_256 integ=HMAC_SHA2_256_128 prf=HMAC_SHA2_256 group=DH19}
003 "westnet-eastnet-ikev2" #1: established IKE SA; authenticated using ECDSA with SHA2_384 and peer certificate 'C=CH, O=strongSwan, CN=strongEast' issued by CA 'C=CH, O=strongSwan, CN=strongSwan CA'
004 "westnet-eastnet-ikev2" #2: established Child SA; IPsec tunnel [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA2_512_256 NATOA=none NATD=none DPD=passive}
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 ipsec whack --trafficstatus
006 #2: "westnet-eastnet-ikev2", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, id='C=CH, O=strongSwan, CN=strongEast'
west #
 echo done
done
west #
 if [ -f /var/run/pluto/pluto.pid ]; then ../../guestbin/ipsec-look.sh ; fi
west NOW
XFRM state:
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha512) 0xHASHKEY 256
	enc cbc(aes) 0xENCKEY
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha512) 0xHASHKEY 256
	enc cbc(aes) 0xENCKEY
XFRM policy:
src 192.0.1.0/24 dst 192.0.2.0/24
	dir out priority 2084814 ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir fwd priority 2084814 ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir in priority 2084814 ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
strongEast                                                   u,u,u
strongSwan CA - strongSwan                                   CT,, 
strongWest                                                   u,u,u
west #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then strongswan status ; fi
west #
 
