/testing/guestbin/swan-prep
road #
 ../../guestbin/wait-until-alive 192.0.2.254
destination 192.0.2.254 is alive
road #
 iptables -A INPUT -i eth0 -s 192.0.2.254 -p icmp -j DROP
road #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
road #
 ../../guestbin/ping-once.sh --down 192.0.2.254
down
road #
 ipsec start
Redirecting to: [initsystem]
road #
 ../../guestbin/wait-until-pluto-started
road #
 ip route get to 192.1.2.23
192.1.2.23 via 192.1.3.254 dev eth0 src 192.1.3.209 uid 0
  cache
road #
 # this test need --verbose to see source address selection
road #
 ipsec auto --add --verbose road
opening file: /etc/ipsec.conf
debugging mode enabled
end of file /etc/ipsec.conf
Loading conn road
starter: left is KH_DEFAULTROUTE
loading named conns: road
seeking_src = 1, seeking_gateway = 1, has_peer = 1
seeking_src = 0, seeking_gateway = 1, has_dst = 1
dst  via 192.1.3.254 dev eth0 src  table 254
set nexthop: 192.1.3.254
dst 192.1.3.0 via  dev eth0 src 192.1.3.209 table 254
dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 192.1.3.0 via  dev eth0 src 192.1.3.209 table 255 (ignored)
dst 192.1.3.209 via  dev eth0 src 192.1.3.209 table 255 (ignored)
dst 192.1.3.255 via  dev eth0 src 192.1.3.209 table 255 (ignored)
seeking_src = 1, seeking_gateway = 0, has_peer = 1
seeking_src = 1, seeking_gateway = 0, has_dst = 1
dst 192.1.3.254 via  dev eth0 src 192.1.3.209 table 254
set addr: 192.1.3.209
seeking_src = 0, seeking_gateway = 0, has_peer = 1
conn: "road" modecfgdns=<unset>
conn: "road" modecfgdomains=<unset>
conn: "road" modecfgbanner=<unset>
conn: "road" mark=<unset>
conn: "road" mark-in=<unset>
conn: "road" mark-out=<unset>
conn: "road" vti_iface=<unset>
conn: "road" redirect-to=<unset>
conn: "road" accept-redirect-to=<unset>
conn: "road" esp=<unset>
conn: "road" ike=<unset>
002 "road": added IKEv2 connection
road #
 echo "initdone"
initdone
road #
 ipsec auto --up road
1v2 "road"[1] 192.1.2.23 #1: initiating IKEv2 connection
1v2 "road"[1] 192.1.2.23 #1: sent IKE_SA_INIT request
1v2 "road"[1] 192.1.2.23 #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "road"[1] 192.1.2.23 #1: established IKE SA; authenticated using authby=secret and peer ID_FQDN '@east'
002 "road"[1] 192.1.2.23 #2: received INTERNAL_IP4_ADDRESS 192.0.3.1
004 "road"[1] 192.1.2.23 #2: established Child SA; IPsec tunnel [192.0.3.1-192.0.3.1:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0] {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
road #
 ping6 -n -q -w 4 -c 2 192.0.2.254
ping6: 192.0.2.254: Address family for hostname not supported
road #
 ipsec trafficstatus
006 #2: "road"[1] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=0, id='@east', lease=192.0.3.1/32
road #
 ../../guestbin/ip-addr-show.sh
eth0 inet 192.1.3.209/24
lo inet 192.0.3.1/32
road #
 ip -6 route
road #
 ip route get to 192.1.2.23
192.1.2.23 via 192.1.3.254 dev eth0 src 192.0.3.1 uid 0
  cache
road #
 #
road #
 # addconn need a non existing --ctlsocket
road #
 # otherwise this add bring the connection down.
road #
 #
road #
 # see the source address selection when the tunnel is established
road #
 ipsec auto --add --verbose --ctlsocket /run/pluto/foo road
opening file: /etc/ipsec.conf
debugging mode enabled
end of file /etc/ipsec.conf
Loading conn road
starter: left is KH_DEFAULTROUTE
loading named conns: road
seeking_src = 1, seeking_gateway = 1, has_peer = 1
seeking_src = 0, seeking_gateway = 1, has_dst = 1
dst 0.0.0.0 via 192.1.3.254 dev eth0 src 192.0.3.1 table 254
dst  via 192.1.3.254 dev eth0 src  table 254
set nexthop: 192.1.3.254
dst 128.0.0.0 via 192.1.3.254 dev eth0 src 192.0.3.1 table 254
dst 192.1.3.0 via  dev eth0 src 192.1.3.209 table 254
dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255 (ignored)
dst 192.0.3.1 via  dev lo src 192.0.3.1 table 255 (ignored)
dst 192.1.3.0 via  dev eth0 src 192.1.3.209 table 255 (ignored)
dst 192.1.3.209 via  dev eth0 src 192.1.3.209 table 255 (ignored)
dst 192.1.3.255 via  dev eth0 src 192.1.3.209 table 255 (ignored)
seeking_src = 1, seeking_gateway = 0, has_peer = 1
seeking_src = 1, seeking_gateway = 0, has_dst = 1
dst 192.1.3.254 via  dev eth0 src 192.1.3.209 table 254
set addr: 192.1.3.209
seeking_src = 0, seeking_gateway = 0, has_peer = 1
conn: "road" modecfgdns=<unset>
conn: "road" modecfgdomains=<unset>
conn: "road" modecfgbanner=<unset>
conn: "road" mark=<unset>
conn: "road" mark-in=<unset>
conn: "road" mark-out=<unset>
conn: "road" vti_iface=<unset>
conn: "road" redirect-to=<unset>
conn: "road" accept-redirect-to=<unset>
conn: "road" esp=<unset>
conn: "road" ike=<unset>
connect(pluto_ctl) failed: No such file or directory
road #
 echo done
done
road #
 if [ -f /var/run/pluto/pluto.pid ]; then ../../guestbin/ipsec-look.sh ; fi
road NOW
XFRM state:
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
XFRM policy:
src 0.0.0.0/0 dst 192.0.3.1/32
	dir fwd priority 2080767 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 0.0.0.0/0 dst 192.0.3.1/32
	dir in priority 2080767 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.3.1/32 dst 0.0.0.0/0
	dir out priority 2080767 ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
0.0.0.0/1 via 192.1.3.254 dev eth0 src 192.0.3.1
default via 192.1.3.254 dev eth0
128.0.0.0/1 via 192.1.3.254 dev eth0 src 192.0.3.1
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
road #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then strongswan status ; fi
road #
 
