/testing/guestbin/swan-prep --x509
Preparing X.509 files
road #
 ipsec certutil -D -n east
road #
 cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf
road #
 cp policies/* /etc/ipsec.d/policies/
road #
 echo "192.1.2.23/32"  >> /etc/ipsec.d/policies/private-or-clear
road #
 ipsec start
Redirecting to: [initsystem]
road #
 ../../guestbin/wait-until-pluto-started
road #
 # give OE policies time to load
road #
 ../../guestbin/wait-for.sh --match 'loaded 10,' -- ipsec auto --status
Total IPsec connections: loaded 10, active 0
road #
 echo "initdone"
initdone
road #
 # trigger OE; wait on OE to install %pass due to east not running ipsec
road #
 # should show no tunnels and a bare shunt
road #
 ../../guestbin/ping-once.sh --forget -I 192.1.3.209 192.1.2.23
fired and forgotten
road #
 ../../guestbin/wait-for.sh --match oe-failing -- ipsec shuntstatus
192.1.3.209/32 -0-> 192.1.2.23/32 => %pass    oe-failing
road #
 ipsec trafficstatus
road #
 # verify xfrm policy got added for %pass
road #
 ../../guestbin/ipsec-look.sh
road NOW
XFRM state:
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0x00000000 reqid 0 mode transport
	replay-window 0
	sel src 192.1.3.209/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth0
XFRM policy:
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.2.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
Libreswan test CA for mainca - Libreswan                     CT,,
east-ec                                                      P,,
hashsha1                                                     P,,
nic                                                          P,,
north                                                        P,,
road                                                         u,u,u
west                                                         P,,
west-ec                                                      P,,
road #
 echo "waiting on east to start ipsec and OE initiate to us"
waiting on east to start ipsec and OE initiate to us
road #
 # OE has been triggered.
road #
 # there should be no %pass shunts on either side and an active tunnel
road #
 ipsec trafficstatus
#3: "private-or-clear#192.1.2.23/32"[2] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=252, outBytes=252, maxBytes=2^63B, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
road #
 ipsec shuntstatus
Bare Shunt list:
000
road #
 ../../guestbin/ipsec-look.sh
road NOW
XFRM state:
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0x00000000 reqid 0 mode transport
	replay-window 0
	sel src 192.1.3.209/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth0
XFRM policy:
src 192.1.2.23/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority PRIORITY ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
Libreswan test CA for mainca - Libreswan                     CT,,
east-ec                                                      P,,
hashsha1                                                     P,,
nic                                                          P,,
north                                                        P,,
road                                                         u,u,u
west                                                         P,,
west-ec                                                      P,,
road #
 # letting 60s shunt expire
road #
 ../../guestbin/wait-for.sh --no-match ' spi 0x00000000 ' -- ../../guestbin/ipsec-kernel-state.sh
road #
 # we should have 1 or 2 tunnels, no shunts
road #
 ipsec trafficstatus
#3: "private-or-clear#192.1.2.23/32"[2] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=252, outBytes=252, maxBytes=2^63B, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
road #
 ipsec shuntstatus
Bare Shunt list:
000
road #
 # we should see one of each in/fwd/out (confirming %pass shunt delete didn't take out dir out tunnel policy
road #
 ip xfrm policy
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority PRIORITY ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.254/32
	dir out priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.254/32
	dir out priority PRIORITY ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0 ptype main
road #
 # nic blocks cleartext, so confirm tunnel is working
road #
 ../../guestbin/ping-once.sh --up -I 192.1.3.209 192.1.2.23
up
road #
 ../../guestbin/ping-once.sh --up -I 192.1.3.209 192.1.2.23
up
road #
 ../../guestbin/ping-once.sh --up -I 192.1.3.209 192.1.2.23
up
road #
 ../../guestbin/ping-once.sh --up -I 192.1.3.209 192.1.2.23
up
road #
 ipsec trafficstatus
#3: "private-or-clear#192.1.2.23/32"[2] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=588, outBytes=588, maxBytes=2^63B, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'

