/testing/guestbin/swan-prep
west #
 # confirm that the network is alive
west #
 ../../guestbin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm clear text does not get through
west #
 ../../guestbin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 echo "initdone"
initdone
west #
 ../../guestbin/libreswan-up-down.sh ah=md5 -I 192.0.1.254 192.0.2.254
002 "ah=md5": added IKEv2 connection
1v2 "ah=md5" #1: initiating IKEv2 connection
1v2 "ah=md5" #1: sent IKE_SA_INIT request
1v2 "ah=md5" #1: sent IKE_AUTH request {cipher=AES_CBC_128 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
003 "ah=md5" #1: established IKE SA; authenticated using authby=secret and peer ID_FQDN '@east'
004 "ah=md5" #2: established Child SA using #1; IPsec tunnel [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] {AH=>0xAHAH <0xAHAH xfrm=HMAC_MD5_96 DPD=passive}
up
002 "ah=md5": terminating SAs using this connection
002 "ah=md5" #1: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
005 "ah=md5" #2: AH traffic information: in=84B out=84B
002 "ah=md5": terminating SAs using this connection
west #
 ../../guestbin/libreswan-up-down.sh ah=sha1 -I 192.0.1.254 192.0.2.254
002 "ah=sha1": added IKEv2 connection
1v2 "ah=sha1" #3: initiating IKEv2 connection
1v2 "ah=sha1" #3: sent IKE_SA_INIT request
1v2 "ah=sha1" #3: sent IKE_AUTH request {cipher=AES_CBC_128 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
003 "ah=sha1" #3: established IKE SA; authenticated using authby=secret and peer ID_FQDN '@east'
004 "ah=sha1" #4: established Child SA using #3; IPsec tunnel [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] {AH=>0xAHAH <0xAHAH xfrm=HMAC_SHA1_96 DPD=passive}
up
002 "ah=sha1": terminating SAs using this connection
002 "ah=sha1" #3: deleting state (STATE_V2_ESTABLISHED_IKE_SA) and sending notification
005 "ah=sha1" #4: AH traffic information: in=84B out=84B
002 "ah=sha1": terminating SAs using this connection
west #
 # Test rekey
west #
 ipsec auto --add ah=sha1
002 "ah=sha1": added IKEv2 connection
west #
 ipsec auto --up ah=sha1
1v2 "ah=sha1" #5: initiating IKEv2 connection
1v2 "ah=sha1" #5: sent IKE_SA_INIT request
1v2 "ah=sha1" #5: sent IKE_AUTH request {cipher=AES_CBC_128 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}
003 "ah=sha1" #5: established IKE SA; authenticated using authby=secret and peer ID_FQDN '@east'
004 "ah=sha1" #6: established Child SA using #5; IPsec tunnel [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] {AH=>0xAHAH <0xAHAH xfrm=HMAC_SHA1_96 DPD=passive}
west #
 ping -n -q -c 2 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
--- 192.0.2.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 sleep 1
west #
 ipsec auto --up ah=sha1
002 "ah=sha1" #7: initiating Child SA using IKE SA #5
1v2 "ah=sha1" #7: sent CREATE_CHILD_SA request for new IPsec SA
004 "ah=sha1" #7: established Child SA using #5; IPsec tunnel [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] {AH=>0xAHAH <0xAHAH xfrm=HMAC_SHA1_96 DPD=passive}
west #
 sleep 1
west #
 ping -n -q -c 2 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
--- 192.0.2.254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 # since bofh AH tunnels are still there, check if they all got traffic, meaning new ones was used
west #
 # use weird spacing to avoid sanitizer
west #
 ip xfrm     s | grep anti-replay
	anti-replay esn context:
	anti-replay esn context:
	anti-replay esn context:
	anti-replay esn context:
west #
 echo done
done
west #
 if [ -f /var/run/pluto/pluto.pid ]; then ../../guestbin/ipsec-look.sh ; fi
west NOW
XFRM state:
src 192.1.2.23 dst 192.1.2.45
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec align4
	auth-trunc hmac(sha1) 0xHASHKEY 96
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 192.1.2.45 dst 192.1.2.23
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec align4
	auth-trunc hmac(sha1) 0xHASHKEY 96
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 192.1.2.23 dst 192.1.2.45
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec align4
	auth-trunc hmac(sha1) 0xHASHKEY 96
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 192.1.2.45 dst 192.1.2.23
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec align4
	auth-trunc hmac(sha1) 0xHASHKEY 96
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
XFRM policy:
src 192.0.1.0/24 dst 192.0.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto ah reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto ah reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto ah reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then strongswan statusall ; fi
west #
 
