/testing/guestbin/swan-prep --x509
Preparing X.509 files
road #
 certutil -D -n road -d sql:/etc/ipsec.d
road #
 certutil -D -n east -d sql:/etc/ipsec.d
road #
 cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf
road #
 cp policies/* /etc/ipsec.d/policies/
road #
 echo "192.1.2.0/24"  >> /etc/ipsec.d/policies/private-or-clear
road #
 ipsec start
Redirecting to: systemctl start ipsec.service
road #
 /testing/pluto/bin/wait-until-pluto-started
road #
 ipsec whack --debug-all --impair retransmits
road #
 # ensure for tests acquires expire before our failureshunt=2m
road #
 echo 30 > /proc/sys/net/core/xfrm_acq_expires
road #
 # give OE policies time to load
road #
 sleep 5
road #
 ip -s xfrm monitor > /tmp/xfrm-monitor.out &
[x] PID
road #
 echo "initdone"
initdone
road #
 # one packet, which gets eaten by XFRM, so east does not initiate
road #
 ping -n -c 1 -I 192.1.3.209 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.209 : 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time XXXX
road #
 # wait on OE IKE negotiation
road #
 sleep 1
road #
 ping -n -c 2 -I 192.1.3.209 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.209 : 56(84) bytes of data.
64 bytes from 192.1.2.23: icmp_seq=1 ttl=64 time=0.XXX ms
64 bytes from 192.1.2.23: icmp_seq=2 ttl=64 time=0.XXX ms
--- 192.1.2.23 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
road #
 # should show established tunnel and no bare shunts
road #
 ipsec whack --trafficstatus
006 #2: "private-or-clear#192.1.2.0/24"[1] 10.0.10.1/32=== ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org', lease=10.0.10.1/32
road #
 ipsec whack --shuntstatus
000 Bare Shunt list:
000  
road #
 ipsec look
road NOW
XFRM state:
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPIXX reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPIXX reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPIXX reqid REQID mode transport
	replay-window 0 
	sel src 192.1.3.209/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth0 
XFRM policy:
src 10.0.10.1/32 dst 192.1.2.23/32 
	dir out priority 2080 ptype main 
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 10.0.10.1/32 
	dir fwd priority 2080 ptype main 
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 10.0.10.1/32 
	dir in priority 2080 ptype main 
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.253/32 dst 192.1.3.209/32 
	dir fwd priority 1568 ptype main 
src 192.1.2.253/32 dst 192.1.3.209/32 
	dir in priority 1568 ptype main 
src 192.1.3.209/32 dst 192.1.2.0/24 
	dir out priority 2088 ptype main 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 192.1.3.209/32 dst 192.1.2.23/32 
	dir out priority 2080 ptype main 
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.253/32 
	dir out priority 1568 ptype main 
src 192.1.3.209/32 dst 192.1.3.253/32 
	dir out priority 1568 ptype main 
src 192.1.3.209/32 dst 192.1.3.254/32 
	dir out priority 1568 ptype main 
src 192.1.3.253/32 dst 192.1.3.209/32 
	dir fwd priority 1568 ptype main 
src 192.1.3.253/32 dst 192.1.3.209/32 
	dir in priority 1568 ptype main 
src 192.1.3.254/32 dst 192.1.3.209/32 
	dir fwd priority 1568 ptype main 
src 192.1.3.254/32 dst 192.1.3.209/32 
	dir in priority 1568 ptype main 
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth0 
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209 
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
Libreswan test CA for mainca - Libreswan                     CT,, 
east-ec                                                      P,,  
hashsha2                                                     P,,  
nic                                                          P,,  
north                                                        P,,  
west                                                         P,,  
west-ec                                                      P,,  
road #
 iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  192.1.2.23           10.0.10.1            policy match dir in pol ipsec to:192.1.3.209
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  0.0.0.0/0            192.1.2.23           policy match dir out pol ipsec to:10.0.10.1
road #
 ipsec stop
Redirecting to: systemctl stop ipsec.service
road #
 conntrack -L -n | sed -e "s/id=[0-9]*/id=XXXX/g" -e "s/icmp     1 [0-9]*/icmp     1 XX/" | sort
[ 00.00] Netfilter messages via NETLINK v0.30.
[ 00.00] ctnetlink v0.93: registering with nfnetlink.
conntrack v1.4.3 (conntrack-tools): 1 flow entries have been shown.
icmp     1 XX src=192.1.3.209 dst=192.1.2.23 type=8 code=0 id=XXXX src=192.1.2.23 dst=10.0.10.1 type=0 code=0 id=XXXX mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
road #
 conntrack -F
conntrack v1.4.3 (conntrack-tools): connection tracking table has been emptied.
road #
 iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
road #
 iptables -t nat -F
road #
 ipsec start
Redirecting to: systemctl start ipsec.service
road #
 # packet trigger OE
road #
 ping -n -c 1 -I 192.1.3.209 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.209 : 56(84) bytes of data.
64 bytes from 192.1.2.23: icmp_seq=1 ttl=63 time=0.XXX ms
--- 192.1.2.23 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
road #
 sleep 1
road #
 ping -n -c 2 -I 192.1.3.209 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.209 : 56(84) bytes of data.
64 bytes from 192.1.2.23: icmp_seq=2 ttl=64 time=0.XXX ms
--- 192.1.2.23 ping statistics ---
2 packets transmitted, 1 received, 50% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
road #
 ipsec whack --trafficstatus
006 #2: "private-or-clear#192.1.2.0/24"[1] 10.0.10.1/32=== ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=84, outBytes=84, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org', lease=10.0.10.1/32
road #
 ipsec whack --shuntstatus
000 Bare Shunt list:
000  
road #
 ipsec look
road NOW
XFRM state:
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPIXX reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPIXX reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPIXX reqid REQID mode transport
	replay-window 0 
	sel src 192.1.3.209/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth0 
XFRM policy:
src 10.0.10.1/32 dst 192.1.2.23/32 
	dir out priority 2080 ptype main 
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 10.0.10.1/32 
	dir fwd priority 2080 ptype main 
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 10.0.10.1/32 
	dir in priority 2080 ptype main 
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.253/32 dst 192.1.3.209/32 
	dir fwd priority 1568 ptype main 
src 192.1.2.253/32 dst 192.1.3.209/32 
	dir in priority 1568 ptype main 
src 192.1.3.209/32 dst 192.1.2.0/24 
	dir out priority 2088 ptype main 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 192.1.3.209/32 dst 192.1.2.23/32 
	dir out priority 2080 ptype main 
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.253/32 
	dir out priority 1568 ptype main 
src 192.1.3.209/32 dst 192.1.3.253/32 
	dir out priority 1568 ptype main 
src 192.1.3.209/32 dst 192.1.3.254/32 
	dir out priority 1568 ptype main 
src 192.1.3.253/32 dst 192.1.3.209/32 
	dir fwd priority 1568 ptype main 
src 192.1.3.253/32 dst 192.1.3.209/32 
	dir in priority 1568 ptype main 
src 192.1.3.254/32 dst 192.1.3.209/32 
	dir fwd priority 1568 ptype main 
src 192.1.3.254/32 dst 192.1.3.209/32 
	dir in priority 1568 ptype main 
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth0 
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209 
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
Libreswan test CA for mainca - Libreswan                     CT,, 
east-ec                                                      P,,  
hashsha2                                                     P,,  
nic                                                          P,,  
north                                                        P,,  
west                                                         P,,  
west-ec                                                      P,,  
road #
 iptables -t nat -L -n
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
DNAT       all  --  192.1.2.23           10.0.10.1            policy match dir in pol ipsec to:192.1.3.209
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  0.0.0.0/0            192.1.2.23           policy match dir out pol ipsec to:10.0.10.1
road #
 conntrack -L -n | sed -e "s/id=[0-9]*/id=XXXX/g" -e "s/icmp     1 [0-9]*/icmp     1 XX/" | sort
conntrack v1.4.3 (conntrack-tools): 2 flow entries have been shown.
icmp     1 XX src=192.1.3.209 dst=192.1.2.23 type=8 code=0 id=XXXX src=192.1.2.23 dst=10.0.10.1 type=0 code=0 id=XXXX mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
icmp     1 XX src=192.1.3.209 dst=192.1.2.23 type=8 code=0 id=XXXX src=192.1.2.23 dst=192.1.3.209 type=0 code=0 id=XXXX mark=0 secctx=system_u:object_r:unlabeled_t:s0 use=1
road #
 killall ip > /dev/null 2> /dev/null
[1]+  Terminated              ip -s xfrm monitor > /tmp/xfrm-monitor.out
road #
 cp /tmp/xfrm-monitor.out OUTPUT/road.xfrm-monitor.txt
road #
 # ping should succeed through tunnel
road #
 echo done
done
road #
 # A tunnel should have established with non-zero byte counters
road #
 ipsec whack --trafficstatus
006 #2: "private-or-clear#192.1.2.0/24"[1] 10.0.10.1/32=== ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=84, outBytes=84, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org', lease=10.0.10.1/32
road #
 # you should see both RSA and NULL
road #
 grep IKEv2_AUTH_ /tmp/pluto.log
|    auth method: IKEv2_AUTH_NULL (0xd)
|    auth method: IKEv2_AUTH_RSA (0x1)
road #
road #
 ../bin/check-for-core.sh
road #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

