/testing/guestbin/swan-prep
road #
 ifconfig eth0 192.1.3.194 netmask 255.255.255.0
road #
 route add -net default gw 192.1.3.254
road #
 ipsec start
Redirecting to: [initsystem]
road #
 ../../guestbin/wait-until-pluto-started
road #
 ipsec auto --add modecfg-road-eastnet-psk
002 "modecfg-road-eastnet-psk": added IKEv1 connection
road #
 echo "initdone"
initdone
road #
 ipsec auto --replace modecfg-road-eastnet-psk
002 "modecfg-road-eastnet-psk": terminating SAs using this connection
002 "modecfg-road-eastnet-psk": added IKEv1 connection
road #
 ipsec whack --status | grep modecfg-road-eastnet-psk
000 "modecfg-road-eastnet-psk": 192.1.3.194[@roadrandom,+MC+XC+S=C]---192.1.3.254...192.1.2.23[@east,MS+XS+S=C]===192.0.2.0/24; unrouted; eroute owner: #0
000 "modecfg-road-eastnet-psk":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "modecfg-road-eastnet-psk":   xauth us:client, xauth them:server,  my_username=[any]; their_username=[any]
000 "modecfg-road-eastnet-psk":   our auth:secret, their auth:secret, our autheap:none, their autheap:none;
000 "modecfg-road-eastnet-psk":   modecfg info: us:client, them:server, modecfg policy:push, dns:unset, domains:unset, cat:unset;
000 "modecfg-road-eastnet-psk":   sec_label:unset;
000 "modecfg-road-eastnet-psk":   ike_life: 28800s; ipsec_life: 28800s; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "modecfg-road-eastnet-psk":   retransmit-interval: 9999ms; retransmit-timeout: 99s; iketcp:no; iketcp-port:4500;
000 "modecfg-road-eastnet-psk":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "modecfg-road-eastnet-psk":   policy: IKEv1+PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
000 "modecfg-road-eastnet-psk":   conn_prio: 32,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "modecfg-road-eastnet-psk":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "modecfg-road-eastnet-psk":   our idtype: ID_FQDN; our id=@roadrandom; their idtype: ID_FQDN; their id=@east
000 "modecfg-road-eastnet-psk":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "modecfg-road-eastnet-psk":   newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $2;
000 "modecfg-road-eastnet-psk":   IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536
road #
 ipsec whack --xauthname 'use3' --xauthpass 'use1pass' --name modecfg-road-eastnet-psk --initiate
003 "modecfg-road-eastnet-psk" #1: IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
003 "modecfg-road-eastnet-psk" #1: multiple DH groups in aggressive mode can cause interop failure
003 "modecfg-road-eastnet-psk" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
002 "modecfg-road-eastnet-psk" #1: initiating IKEv1 Aggressive Mode connection
003 "modecfg-road-eastnet-psk" #1: multiple DH groups in aggressive mode can cause interop failure
003 "modecfg-road-eastnet-psk" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
1v1 "modecfg-road-eastnet-psk" #1: sent Aggressive Mode request
002 "modecfg-road-eastnet-psk" #1: Peer ID is ID_FQDN: '@east'
004 "modecfg-road-eastnet-psk" #1: IKE SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536}
041 "modecfg-road-eastnet-psk" #1: modecfg-road-eastnet-psk prompt for Username:
040 "modecfg-road-eastnet-psk" #1: modecfg-road-eastnet-psk prompt for Password:
002 "modecfg-road-eastnet-psk" #1: XAUTH: Answering XAUTH challenge with user='use3'
004 "modecfg-road-eastnet-psk" #1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536}
002 "modecfg-road-eastnet-psk" #1: XAUTH: Successfully Authenticated
004 "modecfg-road-eastnet-psk" #1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536}
002 "modecfg-road-eastnet-psk" #1: Received IP address 10.9.2.209/32
002 "modecfg-road-eastnet-psk" #1: setting ip source address to 10.9.2.209/32
004 "modecfg-road-eastnet-psk" #1: IKE SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536}
002 "modecfg-road-eastnet-psk" #2: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKE_FRAG_ALLOW+ESN_NO+ESN_YES
1v1 "modecfg-road-eastnet-psk" #2: sent Quick Mode request
004 "modecfg-road-eastnet-psk" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 DPD=passive username=use3}
road #
 ../../guestbin/ping-once.sh --up 192.0.2.254
up
road #
 echo done.
done.
road #
 ../../guestbin/ipsec-look.sh
road NOW
XFRM state:
src 192.1.2.23 dst 192.1.3.194
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 192.1.3.194 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
XFRM policy:
src 10.9.2.209/32 dst 192.0.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 192.1.3.194 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 10.9.2.209/32
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.194
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 10.9.2.209/32
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.194
		proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.0.2.0/24 via 192.1.3.254 dev eth0 src 10.9.2.209
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.194
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
road #
 
