/testing/guestbin/swan-prep
west #
 ip tunnel add eth3 mode gre local 192.1.2.45 remote 192.1.2.23
west #
 ip addr add 192.1.3.2/24 dev eth3
west #
 ip link set dev eth3 up
west #
 ipsec start
Redirecting to: [initsystem]
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 ipsec auto --add test1
002 "test1": added IKEv2 connection
west #
 ipsec auto --add test2
002 "test2": added IKEv2 connection
west #
 ipsec auto --add test3
002 "test3": added IKEv2 connection
west #
 ipsec auto --status | grep interface
000 using kernel interface: xfrm
000 interface lo UDP 127.0.0.1:4500
000 interface lo UDP 127.0.0.1:500
000 interface eth0 UDP 192.0.1.254:4500
000 interface eth0 UDP 192.0.1.254:500
000 interface eth1 UDP 192.1.2.45:4500
000 interface eth1 UDP 192.1.2.45:500
000 interface eth3 UDP 192.1.3.2:4500
000 interface eth3 UDP 192.1.3.2:500
000 "test1":   conn_prio: 32,32; interface: eth3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "test2":   conn_prio: 32,32; interface: ; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "test3":   conn_prio: 32,32; interface: eth3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
west #
 ipsec auto --status | grep orient
000 "test1":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "test2":     unoriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "test3":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
west #
 ipsec auto --up test1
1v2 "test1" #1: initiating IKEv2 connection
1v2 "test1" #1: sent IKE_SA_INIT request
002 "test1" #1: WARNING: connection test1 PSK length of 9 bytes is too short for HMAC_SHA2_512 PRF in FIPS mode (32 bytes required)
1v2 "test1" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "test1" #1: WARNING: connection test1 PSK length of 9 bytes is too short for HMAC_SHA2_512 PRF in FIPS mode (32 bytes required)
003 "test1" #1: authenticated using authby=secret
002 "test1" #2: negotiated connection [192.1.3.2-192.1.3.2:0-65535 0] -> [192.1.3.1-192.1.3.1:0-65535 0]
004 "test1" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ../../pluto/bin/ping-once.sh --up -I 192.1.3.2 192.1.3.1
up
west #
 ipsec whack --trafficstatus
006 #2: "test1", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, id='192.1.3.1'
west #
 ip addr add 192.1.3.3/24 dev eth3
west #
 ipsec auto --ready
002 listening for IKE messages
002 adding UDP interface eth3 192.1.3.3:500
002 adding UDP interface eth3 192.1.3.3:4500
003 two interfaces match "test3" (eth3 192.1.3.3, eth3 192.1.3.2)
002 "test3": terminating SAs using this connection
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
west #
 ipsec auto --status |grep orient
000 "test1":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "test2":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "test3":     unoriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
west #
 ipsec auto --up test2
1v2 "test2" #3: initiating IKEv2 connection
1v2 "test2" #3: sent IKE_SA_INIT request
002 "test2" #3: WARNING: connection test2 PSK length of 9 bytes is too short for HMAC_SHA2_512 PRF in FIPS mode (32 bytes required)
1v2 "test2" #3: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "test2" #3: WARNING: connection test2 PSK length of 9 bytes is too short for HMAC_SHA2_512 PRF in FIPS mode (32 bytes required)
003 "test2" #3: authenticated using authby=secret
002 "test2" #4: negotiated connection [192.1.3.3-192.1.3.3:0-65535 0] -> [192.1.3.1-192.1.3.1:0-65535 0]
004 "test2" #4: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
west #
 ../../pluto/bin/ping-once.sh --up -I 192.1.3.3 192.1.3.1
up
west #
 ipsec whack --trafficstatus
006 #2: "test1", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, id='192.1.3.1'
006 #4: "test2", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, id='192.1.3.1'
west #
 ip addr del 192.1.3.3/24 dev eth3
west #
 ipsec auto --ready
002 listening for IKE messages
002 shutting down interface eth3 192.1.3.3:4500
002 shutting down interface eth3 192.1.3.3:500
002 "test2" #4: deleting state (STATE_V2_ESTABLISHED_CHILD_SA) and sending notification
005 "test2" #4: ESP traffic information: in=84B out=84B
003 ERROR: "test2" #3: send on eth3 from 192.1.3.3:500 to 192.1.3.1:500 using UDP failed in delete notification. Errno 101: Network is unreachable
002 "test2" #3: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
003 ERROR: "test2" #3: send on eth3 from 192.1.3.3:500 to 192.1.3.1:500 using UDP failed in delete notification. Errno 101: Network is unreachable
002 "test2" #3: deleting IKE SA but connection is supposed to remain up; schedule EVENT_REVIVE_CONNS
002 "test2": terminating SAs using this connection
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
west #
 ipsec auto --status |grep orient
000 "test1":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "test2":     unoriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "test3":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
west #
 ipsec auto --status | grep interface
000 using kernel interface: xfrm
000 interface lo UDP 127.0.0.1:4500
000 interface lo UDP 127.0.0.1:500
000 interface eth0 UDP 192.0.1.254:4500
000 interface eth0 UDP 192.0.1.254:500
000 interface eth1 UDP 192.1.2.45:4500
000 interface eth1 UDP 192.1.2.45:500
000 interface eth3 UDP 192.1.3.2:4500
000 interface eth3 UDP 192.1.3.2:500
000 "test1":   conn_prio: 32,32; interface: eth3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "test2":   conn_prio: 32,32; interface: ; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "test3":   conn_prio: 32,32; interface: eth3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
west #
 ipsec auto --status | grep orient
000 "test1":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "test2":     unoriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "test3":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
west #
 ipsec auto --ready
002 listening for IKE messages
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
west #
 ipsec auto --status | grep interface
000 using kernel interface: xfrm
000 interface lo UDP 127.0.0.1:4500
000 interface lo UDP 127.0.0.1:500
000 interface eth0 UDP 192.0.1.254:4500
000 interface eth0 UDP 192.0.1.254:500
000 interface eth1 UDP 192.1.2.45:4500
000 interface eth1 UDP 192.1.2.45:500
000 interface eth3 UDP 192.1.3.2:4500
000 interface eth3 UDP 192.1.3.2:500
000 "test1":   conn_prio: 32,32; interface: eth3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "test2":   conn_prio: 32,32; interface: ; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "test3":   conn_prio: 32,32; interface: eth3; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
west #
 ipsec auto --status | grep orient
000 "test1":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "test2":     unoriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "test3":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
west #
 ipsec whack --shutdown
west #
 ip link set dev eth3 down
west #
 ip tunnel del eth3
west #
 ../bin/check-for-core.sh
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
west #
 
