/testing/guestbin/swan-prep
east #
 ipsec start
Redirecting to: systemctl start ipsec.service
east #
 /testing/pluto/bin/wait-until-pluto-started
east #
 ipsec auto --add northnet-eastnet
002 added connection description "northnet-eastnet/0x1"
002 added connection description "northnet-eastnet/0x2"
east #
 ipsec auto --status | grep northnet-eastnet
000 "northnet-eastnet/0x1": 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24; unrouted; eroute owner: #0
000 "northnet-eastnet/0x1":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "northnet-eastnet/0x1":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "northnet-eastnet/0x1":   our auth:secret, their auth:secret
000 "northnet-eastnet/0x1":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "northnet-eastnet/0x1":   labeled_ipsec:no;
000 "northnet-eastnet/0x1":   policy_label:unset;
000 "northnet-eastnet/0x1":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "northnet-eastnet/0x1":   retransmit-interval: 9999ms; retransmit-timeout: 99s;
000 "northnet-eastnet/0x1":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "northnet-eastnet/0x1":   policy: PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "northnet-eastnet/0x1":   conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "northnet-eastnet/0x1":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "northnet-eastnet/0x1":   our idtype: ID_FQDN; our id=@east; their idtype: ID_FQDN; their id=@north
000 "northnet-eastnet/0x1":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "northnet-eastnet/0x1":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "northnet-eastnet/0x1":   aliases: northnet-eastnet
000 "northnet-eastnet/0x2": 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24; unrouted; eroute owner: #0
000 "northnet-eastnet/0x2":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "northnet-eastnet/0x2":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "northnet-eastnet/0x2":   our auth:secret, their auth:secret
000 "northnet-eastnet/0x2":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "northnet-eastnet/0x2":   labeled_ipsec:no;
000 "northnet-eastnet/0x2":   policy_label:unset;
000 "northnet-eastnet/0x2":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "northnet-eastnet/0x2":   retransmit-interval: 9999ms; retransmit-timeout: 99s;
000 "northnet-eastnet/0x2":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "northnet-eastnet/0x2":   policy: PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "northnet-eastnet/0x2":   conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "northnet-eastnet/0x2":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "northnet-eastnet/0x2":   our idtype: ID_FQDN; our id=@east; their idtype: ID_FQDN; their id=@north
000 "northnet-eastnet/0x2":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "northnet-eastnet/0x2":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "northnet-eastnet/0x2":   aliases: northnet-eastnet
east #
 ipsec whack --impair suppress-retransmits
east #
 echo "initdone"
initdone
east #
 ipsec whack --trafficstatus
006 #2: "northnet-eastnet/0x2", type=ESP, add_time=1234567890, inBytes=0, outBytes=0, id='@north'
006 #3: "northnet-eastnet/0x2", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@north'
east #
 # policies and state should be multiple
east #
 ip xfrm state
src 192.1.3.33 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
src 192.1.2.23 dst 192.1.3.33
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
src 192.1.3.33 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
src 192.1.2.23 dst 192.1.3.33
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
east #
 ip xfrm policy
src 192.0.2.0/24 dst 192.0.3.0/24 
	dir out priority 1042407 ptype main 
	tmpl src 192.1.2.23 dst 192.1.3.33
src 192.0.3.0/24 dst 192.0.2.0/24 
	dir fwd priority 1042407 ptype main 
	tmpl src 192.1.3.33 dst 192.1.2.23
src 192.0.3.0/24 dst 192.0.2.0/24 
	dir in priority 1042407 ptype main 
	tmpl src 192.1.3.33 dst 192.1.2.23
east #
east #
 ../bin/check-for-core.sh
east #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

