/testing/guestbin/swan-prep --userland strongswan
north #
 # delete the address .34 before re-run. otherwise strongswan may choose .34
north #
 ../../guestbin/ip.sh address show dev eth1 | grep 192.1.3.34 && ../../guestbin/ip.sh address del 192.1.3.34/24 dev eth1
north #
 # add .33 in case re-run
north #
 ../../guestbin/ip.sh address show dev eth1 | grep 192.1.3.33 || ../../guestbin/ip.sh address add 192.1.3.33/24 dev eth1
    inet 192.1.3.33/24 scope global eth1
north #
 # add default gw, it could have been deleted due address changes
north #
 ../../guestbin/ip.sh route | grep default || ip route add default via 192.1.3.254
default via 192.1.3.254 dev eth1
north #
 ../../guestbin/ip.sh address add 192.1.3.34/24 dev eth1
north #
 ../../guestbin/strongswan-start.sh
north #
 echo "initdone"
initdone
north #
 strongswan up westnet-eastnet-ikev2
initiating IKE_SA westnet-eastnet-ikev2[1] to 192.1.2.23
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.1.3.33[500] to 192.1.2.23[500] (XXX bytes)
received packet: from 192.1.2.23[500] to 192.1.3.33[500] (XXX bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) ]
selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
authentication of 'north' (myself) with pre-shared key
establishing CHILD_SA westnet-eastnet-ikev2{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.1.3.33[4500] to 192.1.2.23[4500] (XXX bytes)
received packet: from 192.1.2.23[4500] to 192.1.3.33[4500] (XXX bytes)
parsed IKE_AUTH response 1 [ N(MOBIKE_SUP) IDr AUTH SA TSi TSr ]
authentication of 'east' with pre-shared key successful
peer supports MOBIKE
IKE_SA westnet-eastnet-ikev2[1] established between 192.1.3.33[north]...192.1.2.23[east]
scheduling reauthentication in XXXs
maximum IKE_SA lifetime XXXs
selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
CHILD_SA westnet-eastnet-ikev2{1} established with SPIs SPISPI_i SPISPI_o and TS 192.0.3.0/24 === 192.0.2.0/24
connection 'westnet-eastnet-ikev2' established successfully
north #
 ../../guestbin/ping-once.sh --up -I 192.0.3.254 192.0.2.254
up
north #
 strongswan status
Shunted Connections:
Bypass LAN 192.0.3.0/24:  192.0.3.0/24 === 192.0.3.0/24 PASS
Bypass LAN 192.1.3.0/24:  192.1.3.0/24 === 192.1.3.0/24 PASS
Security Associations (1 up, 0 connecting):
westnet-eastnet-ikev2[1]: ESTABLISHED XXX second ago, 192.1.3.33[north]...192.1.2.23[east]
westnet-eastnet-ikev2{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o
westnet-eastnet-ikev2{1}:   192.0.3.0/24 === 192.0.2.0/24
north #
 # note this end is 192.1.3.33
north #
 ../../guestbin/ipsec-kernel-state.sh
src 192.1.3.33 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
src 192.1.2.23 dst 192.1.3.33
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
north #
 ip xfrm policy
src 192.0.3.0/24 dst 192.0.2.0/24 
	dir out priority PRIORITY ptype main 
	tmpl src 192.1.3.33 dst 192.1.2.23
		proto esp spi 0xSPISPI reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.3.0/24 
	dir fwd priority PRIORITY ptype main 
	tmpl src 192.1.2.23 dst 192.1.3.33
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.3.0/24 
	dir in priority PRIORITY ptype main 
	tmpl src 192.1.2.23 dst 192.1.3.33
		proto esp reqid REQID mode tunnel
src 192.1.3.0/24 dst 192.1.3.0/24 
	dir fwd priority PRIORITY ptype main 
src 192.1.3.0/24 dst 192.1.3.0/24 
	dir in priority PRIORITY ptype main 
src 192.1.3.0/24 dst 192.1.3.0/24 
	dir out priority PRIORITY ptype main 
src 192.0.3.0/24 dst 192.0.3.0/24 
	dir fwd priority PRIORITY ptype main 
src 192.0.3.0/24 dst 192.0.3.0/24 
	dir in priority PRIORITY ptype main 
src 192.0.3.0/24 dst 192.0.3.0/24 
	dir out priority PRIORITY ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src ::/0 dst ::/0 
	socket in priority 0 ptype main 
src ::/0 dst ::/0 
	socket out priority 0 ptype main 
src ::/0 dst ::/0 
	socket in priority 0 ptype main 
src ::/0 dst ::/0 
	socket out priority 0 ptype main 
north #
 sleep 5
north #
 # remove this end ip next one will take over
north #
 ../../guestbin/ip.sh address del 192.1.3.33/24 dev eth1
north #
 # let strongswan do a MOBIKE update
north #
 sleep 10
north #
 # both ends updated MOBIKE ping should work
north #
 # note this end should be 192.1.3.34
north #
 strongswan status
Shunted Connections:
Bypass LAN 192.0.3.0/24:  192.0.3.0/24 === 192.0.3.0/24 PASS
Bypass LAN 192.1.3.0/24:  192.1.3.0/24 === 192.1.3.0/24 PASS
Security Associations (1 up, 0 connecting):
westnet-eastnet-ikev2[1]: ESTABLISHED XXX second ago, 192.1.3.34[north]...192.1.2.23[east]
westnet-eastnet-ikev2{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o
westnet-eastnet-ikev2{1}:   192.0.3.0/24 === 192.0.2.0/24
north #
 ../../guestbin/ping-once.sh --up -I 192.0.3.254 192.0.2.254
up
north #
 echo done
done
north #
 ../../guestbin/ipsec-kernel-state.sh
src 192.1.3.34 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
src 192.1.2.23 dst 192.1.3.34
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
north #
 ../../guestbin/ipsec-kernel-policy.sh
src 192.0.3.0/24 dst 192.0.3.0/24
	dir fwd priority PRIORITY ptype main
src 192.0.3.0/24 dst 192.0.3.0/24
	dir in priority PRIORITY ptype main
src 192.0.3.0/24 dst 192.0.3.0/24
	dir out priority PRIORITY ptype main
src 192.1.3.0/24 dst 192.1.3.0/24
	dir fwd priority PRIORITY ptype main
src 192.1.3.0/24 dst 192.1.3.0/24
	dir in priority PRIORITY ptype main
src 192.1.3.0/24 dst 192.1.3.0/24
	dir out priority PRIORITY ptype main
src 192.0.2.0/24 dst 192.0.3.0/24
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.34
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.3.0/24
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.34
		proto esp reqid REQID mode tunnel
src 192.0.3.0/24 dst 192.0.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 192.1.3.34 dst 192.1.2.23
		proto esp spi 0xSPISPI reqid REQID mode tunnel
north #
 if [ -f /var/run/pluto/pluto.pid ]; then ipsec whack --trafficstatus ; fi
north #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then strongswan status ; fi
Shunted Connections:
Bypass LAN 192.0.3.0/24:  192.0.3.0/24 === 192.0.3.0/24 PASS
Bypass LAN 192.1.3.0/24:  192.1.3.0/24 === 192.1.3.0/24 PASS
Security Associations (1 up, 0 connecting):
westnet-eastnet-ikev2[1]: ESTABLISHED XXX second ago, 192.1.3.34[north]...192.1.2.23[east]
westnet-eastnet-ikev2{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o
westnet-eastnet-ikev2{1}:   192.0.3.0/24 === 192.0.2.0/24
north #
 
