/testing/guestbin/swan-prep
road #
 ipsec start
Redirecting to: [initsystem]
road #
 ../../guestbin/wait-until-pluto-started
road #
 ipsec auto --add xauth-road-eastnet-psk
002 "xauth-road-eastnet-psk": added IKEv1 connection
road #
 echo "initdone"
initdone
road #
 # fail
road #
 ipsec whack --xauthname 'use2' --xauthpass '' --name xauth-road-eastnet-psk --initiate
003 "xauth-road-eastnet-psk": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
003 "xauth-road-eastnet-psk" #1: multiple DH groups in aggressive mode can cause interop failure
003 "xauth-road-eastnet-psk" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
002 "xauth-road-eastnet-psk" #1: initiating IKEv1 Aggressive Mode connection
003 "xauth-road-eastnet-psk" #1: multiple DH groups in aggressive mode can cause interop failure
003 "xauth-road-eastnet-psk" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
1v1 "xauth-road-eastnet-psk" #1: sent Aggressive Mode request
002 "xauth-road-eastnet-psk" #1: Peer ID is ID_FQDN: '@east'
002 "xauth-road-eastnet-psk" #1: Peer ID is ID_FQDN: '@east'
004 "xauth-road-eastnet-psk" #1: IKE SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536}
041 "xauth-road-eastnet-psk" #1: xauth-road-eastnet-psk prompt for Username:
040 "xauth-road-eastnet-psk" #1: xauth-road-eastnet-psk prompt for Password:
002 "xauth-road-eastnet-psk" #1: XAUTH: Answering XAUTH challenge with user='use2'
004 "xauth-road-eastnet-psk" #1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536}
002 "xauth-road-eastnet-psk" #1: Received Cisco XAUTH status: FAIL
002 "xauth-road-eastnet-psk" #1: xauth: xauth_client_ackstatus() returned STF_OK
002 "xauth-road-eastnet-psk" #1: XAUTH: aborting entire IKE Exchange
036 "xauth-road-eastnet-psk" #1: encountered fatal error in state STATE_XAUTH_I1
road #
 # pass
road #
 ipsec whack --xauthname 'nopw' --xauthpass '' --name xauth-road-eastnet-psk --initiate
003 "xauth-road-eastnet-psk": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
003 "xauth-road-eastnet-psk" #2: multiple DH groups in aggressive mode can cause interop failure
003 "xauth-road-eastnet-psk" #2: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
002 "xauth-road-eastnet-psk" #2: initiating IKEv1 Aggressive Mode connection
003 "xauth-road-eastnet-psk" #2: multiple DH groups in aggressive mode can cause interop failure
003 "xauth-road-eastnet-psk" #2: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
1v1 "xauth-road-eastnet-psk" #2: sent Aggressive Mode request
002 "xauth-road-eastnet-psk" #2: Peer ID is ID_FQDN: '@east'
002 "xauth-road-eastnet-psk" #2: Peer ID is ID_FQDN: '@east'
004 "xauth-road-eastnet-psk" #2: IKE SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536}
041 "xauth-road-eastnet-psk" #2: xauth-road-eastnet-psk prompt for Username:
040 "xauth-road-eastnet-psk" #2: xauth-road-eastnet-psk prompt for Password:
002 "xauth-road-eastnet-psk" #2: XAUTH: Answering XAUTH challenge with user='nopw'
004 "xauth-road-eastnet-psk" #2: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536}
002 "xauth-road-eastnet-psk" #2: XAUTH: Successfully Authenticated
002 "xauth-road-eastnet-psk" #2: XAUTH completed; ModeCFG skipped as per configuration
004 "xauth-road-eastnet-psk" #2: IKE SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536}
002 "xauth-road-eastnet-psk" #3: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES
1v1 "xauth-road-eastnet-psk" #3: sent Quick Mode request
004 "xauth-road-eastnet-psk" #3: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 DPD=passive username=nopw}
road #
 sleep 5
road #
 ping -n -q -c 4 192.0.2.254
PING 192.0.2.254 (192.0.2.254) 56(84) bytes of data.
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
road #
 ipsec whack --trafficstatus
006 #3: "xauth-road-eastnet-psk", username=nopw, type=ESP, add_time=1234567890, inBytes=336, outBytes=336
road #
 # note there should NOT be any incomplete IKE SA attempting to do ModeCFG or EVENT_RETRANSMIT
road #
 ipsec status |grep STATE
000 #2: "xauth-road-eastnet-psk":500 STATE_AGGR_I2 (sent AI2, ISAKMP SA established); REKEY in XXs; REPLACE in XXs; newest; lastdpd=-1s(seq in:0 out:0); idle;
000 #3: "xauth-road-eastnet-psk":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); REKEY in XXs; REPLACE in XXs; newest; eroute owner; ISAKMP SA #2; idle;
road #
 echo done
done
road #
 ../../guestbin/ipsec-look.sh
road NOW
XFRM state:
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
XFRM policy:
src 192.0.2.0/24 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.0.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
road #
 
