/testing/guestbin/swan-prep
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add west-east
002 "west-east": added IKEv2 connection
west #
 ipsec auto --add pass-222
002 "pass-222": added passthrough connection
west #
 echo "initdone"
initdone
west #
 ipsec auto --up west-east
1v2 "west-east" #1: initiating IKEv2 connection
1v2 "west-east" #1: sent IKE_SA_INIT request
1v2 "west-east" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "west-east" #1: authenticated using authby=secret and peer ID_FQDN '@east'
002 "west-east" #2: negotiated connection [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "west-east" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 # poke a hole to port 222, those packets will be allowed cleartext
west #
 ipsec auto --route pass-222
west #
 ip xfrm pol
src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 222 
	dir fwd priority 1687486 ptype main 
src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 222 
	dir in priority 1687486 ptype main 
src 192.1.2.45/32 dst 192.1.2.23/32 proto tcp dport 222 
	dir out priority 1687486 ptype main 
src 192.1.2.45/32 dst 192.1.2.23/32 
	dir out priority 2080702 ptype main 
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid 16389 mode tunnel
src 192.1.2.23/32 dst 192.1.2.45/32 
	dir fwd priority 2080702 ptype main 
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid 16389 mode tunnel
src 192.1.2.23/32 dst 192.1.2.45/32 
	dir in priority 2080702 ptype main 
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid 16389 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
west #
 # send packet over the clear exception - should return connection refused
west #
 echo 'test' | nc -v -w 5 192.1.2.23 222
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connection refused.
west #
 # counters should be zero
west #
 ipsec trafficstatus
006 #2: "west-east", type=ESP, add_time=1234567890, inBytes=0, outBytes=0, id='@east'
west #
 # send packet over the 'tunnel' should get encrypted
west #
 echo 'test' | nc -v -w 5 192.1.2.23 80
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connection refused.
west #
 ipsec trafficstatus
006 #2: "west-east", type=ESP, add_time=1234567890, inBytes=40, outBytes=60, id='@east'
west #
 # counters should be zero
west #
 echo done
done
west #
 
