/testing/guestbin/swan-prep
west #
 # confirm that the network is alive
west #
 ../../guestbin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm clear text does not get through
west #
 ../../guestbin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 echo "initdone"
initdone
west #
 ../../guestbin/libreswan-up-down.sh ah=md5 -I 192.0.1.254 192.0.2.254
002 "ah=md5": added IKEv2 connection
1v2 "ah=md5" #1: initiating IKEv2 connection
1v2 "ah=md5" #1: sent IKE_SA_INIT request to 192.1.2.23:500
1v2 "ah=md5" #1: sent IKE_AUTH request {cipher=AES_CBC_128 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
003 "ah=md5" #1: initiator established IKE SA; authenticated peer using authby=secret and ID_FQDN '@east'
004 "ah=md5" #2: initiator established Child SA using #1; IPsec tunnel [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] {AH=>0xAHAH <0xAHAH xfrm=HMAC_MD5_96 DPD=passive}
up
002 "ah=md5": terminating SAs using this connection
002 "ah=md5" #1: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
005 "ah=md5" #2: AH traffic information: in=84B out=84B
002 "ah=md5": terminating SAs using this connection
west #
 ../../guestbin/libreswan-up-down.sh ah=sha1 -I 192.0.1.254 192.0.2.254
002 "ah=sha1": added IKEv2 connection
1v2 "ah=sha1" #3: initiating IKEv2 connection
1v2 "ah=sha1" #3: sent IKE_SA_INIT request to 192.1.2.23:500
1v2 "ah=sha1" #3: sent IKE_AUTH request {cipher=AES_CBC_128 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
003 "ah=sha1" #3: initiator established IKE SA; authenticated peer using authby=secret and ID_FQDN '@east'
004 "ah=sha1" #4: initiator established Child SA using #3; IPsec tunnel [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] {AH=>0xAHAH <0xAHAH xfrm=HMAC_SHA1_96 DPD=passive}
up
002 "ah=sha1": terminating SAs using this connection
002 "ah=sha1" #3: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
005 "ah=sha1" #4: AH traffic information: in=84B out=84B
002 "ah=sha1": terminating SAs using this connection
west #
 # Test rekey
west #
 ipsec auto --add ah=sha1
002 "ah=sha1": added IKEv2 connection
west #
 ipsec auto --up ah=sha1
1v2 "ah=sha1" #5: initiating IKEv2 connection
1v2 "ah=sha1" #5: sent IKE_SA_INIT request to 192.1.2.23:500
1v2 "ah=sha1" #5: sent IKE_AUTH request {cipher=AES_CBC_128 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
003 "ah=sha1" #5: initiator established IKE SA; authenticated peer using authby=secret and ID_FQDN '@east'
004 "ah=sha1" #6: initiator established Child SA using #5; IPsec tunnel [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] {AH=>0xAHAH <0xAHAH xfrm=HMAC_SHA1_96 DPD=passive}
west #
 ping -n -q -c 2 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
--- 192.0.2.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 sleep 1
west #
 ipsec auto --up ah=sha1
002 "ah=sha1" #7: initiating Child SA using IKE SA #5
1v2 "ah=sha1" #7: sent CREATE_CHILD_SA request for new IPsec SA
004 "ah=sha1" #7: initiator established Child SA using #5; IPsec tunnel [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] {AH=>0xAHAH <0xAHAH xfrm=HMAC_SHA1_96 DPD=passive}
west #
 sleep 1
west #
 ping -n -q -c 2 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
--- 192.0.2.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 # since bofh AH tunnels are still there, check if they all got traffic, meaning new ones was used
west #
 # use weird spacing to avoid sanitizer
west #
 ip xfrm     s | grep anti-replay
	anti-replay esn context:
	anti-replay esn context:
	anti-replay esn context:
	anti-replay esn context:
west #
 echo done
done
west #
 if [ -f /var/run/pluto/pluto.pid ]; then ../../guestbin/ipsec-look.sh ; fi
west NOW
XFRM state:
src 192.1.2.23 dst 192.1.2.45
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec align4
	auth-trunc hmac(sha1) 0xHASHKEY 96
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 192.1.2.45 dst 192.1.2.23
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec align4
	auth-trunc hmac(sha1) 0xHASHKEY 96
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 192.1.2.23 dst 192.1.2.45
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec align4
	auth-trunc hmac(sha1) 0xHASHKEY 96
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 192.1.2.45 dst 192.1.2.23
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec align4
	auth-trunc hmac(sha1) 0xHASHKEY 96
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
XFRM policy:
src 192.0.1.0/24 dst 192.0.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto ah reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto ah reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto ah reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
DROP       all  --  192.0.2.0/24         0.0.0.0/0           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then strongswan statusall ; fi
west #
 
