/testing/guestbin/swan-prep
road #
 echo "192.0.2.252/30" >> /etc/ipsec.d/policies/clear
road #
 echo "192.1.3.252/30" >> /etc/ipsec.d/policies/clear
road #
 ifdown eth0
road #
 sed -i '/IPV6/d' /etc/sysconfig/network-scripts/ifcfg-eth0
road #
 sed -i '/IPADDR/d' /etc/sysconfig/network-scripts/ifcfg-eth0
road #
 sed -i '/GATEWAY/d' /etc/sysconfig/network-scripts/ifcfg-eth0
road #
 echo "IPADDR=192.1.3.209" >> /etc/sysconfig/network-scripts/ifcfg-eth0
road #
 echo "GATEWAY=192.1.3.254" >> /etc/sysconfig/network-scripts/ifcfg-eth0
road #
 ifup eth0
road #
 ipsec start
Redirecting to: systemctl start ipsec.service
road #
 /testing/pluto/bin/wait-until-pluto-started
road #
 ipsec auto --add road-eastnet
002 added connection description "road-eastnet"
road #
 echo "initdone"
initdone
road #
 ipsec auto --up road-eastnet
002 "road-eastnet"[1] 192.1.2.23 #1: initiating v2 parent SA
1v2 "road-eastnet"[1] 192.1.2.23 #1: initiate
1v2 "road-eastnet"[1] 192.1.2.23 #1: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "road-eastnet"[1] 192.1.2.23 #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "road-eastnet"[1] 192.1.2.23 #2: Authenticated using authby=secret
002 "road-eastnet"[1] 192.1.2.23 #2: received INTERNAL_IP4_ADDRESS 192.0.3.10
002 "road-eastnet"[1] 192.1.2.23 #2: negotiated connection [192.0.3.10-192.0.3.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0]
004 "road-eastnet"[1] 192.1.2.23 #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0xESPESP <0xESPESP xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=192.1.2.23:4500 DPD=passive}
road #
 ping -W 1 -q -n -c 2 192.1.2.23
PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
road #
 ipsec whack --trafficstatus
006 #2: "road-eastnet"[1] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='192.1.2.23', lease=192.0.3.10/32
road #
 # note this end should be 192.1.3.209
road #
 ip xfrm state
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	enc cbc(aes) 0xENCKEY
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	enc cbc(aes) 0xENCKEY
road #
 sleep 5
road #
 # remove this end ip next one will take over
road #
 ip addr show scope global dev eth0 | grep -v valid_lft
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default
    link/ether 12:00:00:ab:cd:02 brd ff:ff:ff:ff:ff:ff
    inet 192.1.3.209/24 brd 192.1.3.255 scope global eth0
road #
 # delete the routes down to simulate WiFi link down.
road #
 ip route del default
road #
 ip route del 192.1.33.0/24
RTNETLINK answers: No such process
road #
 ifdown eth0
road #
 sed -i '/IPADDR/d' /etc/sysconfig/network-scripts/ifcfg-eth0
road #
 sed -i '/GATEWAY/d' /etc/sysconfig/network-scripts/ifcfg-eth0
road #
 echo "IPADDR=192.1.33.222" >> /etc/sysconfig/network-scripts/ifcfg-eth0
road #
 echo "GATEWAY=192.1.33.254" >> /etc/sysconfig/network-scripts/ifcfg-eth0
road #
 sleep 2
road #
 # the client is still on the dev lo.
road #
 # would the traffic leak in plain
road #
 ip addr show dev lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
road #
 # let libreswan detect change and initiate MOBIKE update
road #
 ifup eth0
road #
 sleep 10
road #
 # ip addr show scope global dev eth0 | grep -v -E '(valid_lft|ether|noqueue)'
road #
 ip addr show scope global dev eth0 | grep -v valid_lft
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default
    link/ether 12:00:00:ab:cd:02 brd ff:ff:ff:ff:ff:ff
    inet 192.1.33.222/24 brd 192.1.33.255 scope global eth0
road #
 # MOBIKE ping should work
road #
 ping -W 8 -q -n -c 8 192.1.2.23
PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
8 packets transmitted, 0 received, 100% packet loss, time XXXX
road #
 # "ip xfrm" output this end should be 192.1.33.222
road #
 echo done
done
road #
 ip xfrm state
src 192.1.2.23 dst 192.1.33.222
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	enc cbc(aes) 0xENCKEY
src 192.1.33.222 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	enc cbc(aes) 0xENCKEY
road #
 ipsec whack --trafficstatus
006 #2: "road-eastnet"[1] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=168, outBytes=672, id='192.1.2.23', lease=192.0.3.10/32
road #
road #
 ../bin/check-for-core.sh
road #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

