/testing/guestbin/swan-prep
west #
 ipsec start
Redirecting to: [initsystem]
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 ipsec auto --add west-east
002 added IKEv2 connection "west-east"
west #
 ipsec auto --add pass-222
002 added passthrough connection "pass-222"
west #
 echo "initdone"
initdone
west #
 # on-demand packet triggers IKE to unavailable peer and is blocked
west #
 ipsec auto --route west-east
west #
 # poke a hole to port 222, those packets will be allowed cleartext
west #
 ipsec auto --route pass-222
west #
 ip xfrm pol
src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 222 
	dir fwd priority 1687486 ptype main 
src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 222 
	dir in priority 1687486 ptype main 
src 192.1.2.45/32 dst 192.1.2.23/32 proto tcp dport 222 
	dir out priority 1687486 ptype main 
src 192.1.2.45/32 dst 192.1.2.23/32 
	dir out priority 2080702 ptype main 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
west #
 # send packet over the clear exception - should return connection refused
west #
 echo 'test' | nc -v -w 5 192.1.2.23 222
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connection refused.
west #
 # send packet over the 'tunnel' that's negotiating - shoudl get blocked
west #
 echo 'test' | nc -v -w 5 192.1.2.23 80
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: TIMEOUT.
west #
 echo done
done
west #
 : ==== tuc ====
west #
 ../bin/check-for-core.sh
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
west #
 
