/testing/guestbin/swan-prep
west #
 # System Role deployment on nic will push configurations to our machine
west #
 # into /etc/ipsec.d/
west #
 rm -rf OUTPUT/west/ipsec.d
west #
 mkdir -p OUTPUT/west/ipsec.d
west #
 chmod 777 OUTPUT/west
west #
 mount -o bind,rw OUTPUT/west/ipsec.d /etc/ipsec.d
west #
 # initnss normally happens in the initsystem - but not for namespace testing
west #
 # ../../guestbin/if-namespace.sh ipsec initnss
west #
 ipsec initnss
Initializing NSS database
west #
 PATH/bin/pk12util -i /testing/x509/pkcs12/mainca/west.p12 -d sql:/etc/ipsec.d -w /testing/x509/nss-pw
pk12util: PKCS12 IMPORT SUCCESSFUL
west #
 # test config for syntax errors
west #
 ipsec addconn --checkconfig --config /etc/ipsec.conf
west #
 # start for test
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 # test secrets reading for early warning of syntax errors
west #
 ipsec secrets
002 loading secrets from "/etc/ipsec.secrets"
002 no secrets filename matched "/etc/ipsec.d/*.secrets"
west #
 ../../guestbin/if-namespace.sh PATH/sbin/sshd -o PidFile=/var/run/pluto/sshd.pid
west #
 # ready for System Role to drop file(s) into /etc/ipsec.d/
west #
 echo "initdone"
initdone
west #
 # New files should have dropped in, and we are ready to restart
west #
 ipsec restart
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec status | grep 192.1.2
000 interface eth1 UDP 192.1.2.45:4500
000 interface eth1 UDP 192.1.2.45:500
000 "192.1.2.45-to-192.1.2.23": 192.1.2.45...192.1.2.23[%fromcert]; prospective erouted; eroute owner: #0
000 "192.1.2.45-to-192.1.2.23":     oriented; my_ip=unset; their_ip=unset; mycert=west; my_updown=ipsec _updown;
000 "192.1.2.45-to-192.1.2.23":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "192.1.2.45-to-192.1.2.23":   our auth:rsasig, their auth:rsasig, our autheap:none, their autheap:none;
000 "192.1.2.45-to-192.1.2.23":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "192.1.2.45-to-192.1.2.23":   sec_label:unset;
000 "192.1.2.45-to-192.1.2.23":   CAs: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'...'%any'
000 "192.1.2.45-to-192.1.2.23":   ike_life: 28800s; ipsec_life: 28800s; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "192.1.2.45-to-192.1.2.23":   retransmit-interval: 9999ms; retransmit-timeout: 99s; iketcp:no; iketcp-port:4500;
000 "192.1.2.45-to-192.1.2.23":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "192.1.2.45-to-192.1.2.23":   policy: IKEv2+RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+ESN_NO+ESN_YES+RSASIG_v1_5;
000 "192.1.2.45-to-192.1.2.23":   v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512;
000 "192.1.2.45-to-192.1.2.23":   conn_prio: 32,32; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "192.1.2.45-to-192.1.2.23":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "192.1.2.45-to-192.1.2.23":   our idtype: ID_IPV4_ADDR; our id=192.1.2.45; their idtype: %fromcert; their id=%fromcert
000 "192.1.2.45-to-192.1.2.23":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "192.1.2.45-to-192.1.2.23":   newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $1;
west #
 # connection is ondemand, but we will --up so we can see X.509 auth
west #
 # name is generated by System Role
west #
 ipsec whack --impair suppress-retransmits
west #
 ipsec auto --up 192.1.2.45-to-192.1.2.23
1v2 "192.1.2.45-to-192.1.2.23" #1: initiating IKEv2 connection
1v2 "192.1.2.45-to-192.1.2.23" #1: sent IKE_SA_INIT request
1v2 "192.1.2.45-to-192.1.2.23" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "192.1.2.45-to-192.1.2.23" #1: established IKE SA; authenticated using RSA with SHA2_512 and peer certificate 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' issued by CA 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'
004 "192.1.2.45-to-192.1.2.23" #2: established Child SA using #1; IPsec tunnel [192.1.2.45-192.1.2.45:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE DPD=passive}
west #
 ping -n -q -c 4 -I 192.1.2.45 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.2.45 : 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 # show non-zero IPsec traffic counters
west #
 ipsec whack --trafficstatus
006 #2: "192.1.2.45-to-192.1.2.23", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
west #
 echo done
done
west #
 ipsec stop
Redirecting to: [initsystem]
west #
 #rm -f /etc/ipsec.d/*.*
west #
 #umount /etc/ipsec.d
west #
 test -f /var/run/pluto/sshd.pid && kill -9 `cat /var/run/pluto/sshd.pid` >/dev/null
west #
 
