/testing/guestbin/swan-prep west # # confirm that the network is alive west # ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 destination -I 192.0.1.254 192.0.2.254 is alive west # # ensure that clear text does not get through west # iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP west # iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT west # # confirm clear text does not get through west # ../../pluto/bin/ping-once.sh --down -I 192.0.1.254 192.0.2.254 down west # ipsec start Redirecting to: [initsystem] west # /testing/pluto/bin/wait-until-pluto-started west # ipsec auto --add westnet-eastnet-aggr 002 added connection description "westnet-eastnet-aggr" west # ipsec auto --status | grep westnet-eastnet-aggr 000 "westnet-eastnet-aggr": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24; unrouted; eroute owner: #0 000 "westnet-eastnet-aggr": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "westnet-eastnet-aggr": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "westnet-eastnet-aggr": our auth:secret, their auth:secret 000 "westnet-eastnet-aggr": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "westnet-eastnet-aggr": labeled_ipsec:no; 000 "westnet-eastnet-aggr": policy_label:unset; 000 "westnet-eastnet-aggr": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "westnet-eastnet-aggr": retransmit-interval: 9999ms; retransmit-timeout: 99s; 000 "westnet-eastnet-aggr": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "westnet-eastnet-aggr": policy: PSK+ENCRYPT+TUNNEL+PFS+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "westnet-eastnet-aggr": conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "westnet-eastnet-aggr": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "westnet-eastnet-aggr": our idtype: ID_FQDN; our id=@west; their idtype: ID_FQDN; their id=@east 000 "westnet-eastnet-aggr": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "westnet-eastnet-aggr": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "westnet-eastnet-aggr": IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP1536 west # echo "initdone" initdone west # ipsec auto --up westnet-eastnet-aggr 003 "westnet-eastnet-aggr": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's 002 "westnet-eastnet-aggr" #1: initiating Aggressive Mode 1v1 "westnet-eastnet-aggr" #1: STATE_AGGR_I1: initiate 002 "westnet-eastnet-aggr" #1: Peer ID is ID_FQDN: '@east' 002 "westnet-eastnet-aggr" #1: Peer ID is ID_FQDN: '@east' 004 "westnet-eastnet-aggr" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536} 002 "westnet-eastnet-aggr" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO 1v1 "westnet-eastnet-aggr" #2: STATE_QUICK_I1: initiate 004 "westnet-eastnet-aggr" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive} west # ping -n -c 4 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. 64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms west # ipsec whack --trafficstatus 006 #2: "westnet-eastnet-aggr", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@east' west # echo done done west # ../../pluto/bin/ipsec-look.sh west NOW XFRM state: src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0xHASHKEY 96 enc cbc(aes) 0xENCKEY src 192.1.2.45 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0xHASHKEY 96 enc cbc(aes) 0xENCKEY XFRM policy: src 192.0.1.0/24 dst 192.0.2.0/24 dir out priority 1042407 ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto esp reqid REQID mode tunnel src 192.0.2.0/24 dst 192.0.1.0/24 dir fwd priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid REQID mode tunnel src 192.0.2.0/24 dst 192.0.1.0/24 dir in priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid REQID mode tunnel XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI west # west # ../bin/check-for-core.sh west # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi