/testing/guestbin/swan-prep
west #
 # confirm that the network is alive
west #
 ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # adding some routes to sow confusion on purpose
west #
 ip route add 192.168.1.1 via 192.0.1.254 dev eth0
west #
 ip route add 192.168.1.2 via 192.1.2.45 dev eth1
west #
 ip route add 192.168.1.16/28 via 192.1.2.45 dev eth1
west #
 ip route add 25.1.0.0/16 via 192.0.1.254
west #
 ip route add 25.2.0.0/16 via 192.1.2.45
west #
 ipsec start
Redirecting to: [initsystem]
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 ipsec auto --add westnet-all
002 added connection description "westnet-all"
west #
 ip route list
default via 192.1.2.254 dev eth1
25.1.0.0/16 via 192.0.1.254 dev eth0
25.2.0.0/16 via 192.1.2.45 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
192.168.1.1 via 192.0.1.254 dev eth0
192.168.1.2 via 192.1.2.45 dev eth1
192.168.1.16/28 via 192.1.2.45 dev eth1
west #
 for i in `seq 1 12`; do ipsec auto --add orient$i; done
002 added connection description "orient1"
002 added connection description "orient2"
002 added connection description "orient3"
002 added connection description "orient4"
002 added connection description "orient5"
002 added connection description "orient6"
002 added connection description "orient7"
002 added connection description "orient8"
002 added connection description "orient9"
002 added connection description "orient10"
002 added connection description "orient11"
002 added connection description "orient12"
west #
 ipsec auto --status |grep orient |grep "eroute owner"
000 "orient1": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0
000 "orient10": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient11": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient12": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient2": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0
000 "orient3": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0
000 "orient4": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0
000 "orient5": 192.1.2.45<192.1.2.45>...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient6": 192.1.2.45<192.1.2.45>---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient7": 192.1.2.45<192.1.2.45>---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient8": 192.1.2.45<192.1.2.45>...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
000 "orient9": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0
west #
 ipsec whack --impair suppress-retransmits
west #
 echo "initdone"
initdone
west #
 ipsec auto --up  westnet-all
002 "westnet-all" #1: initiating Main Mode
1v1 "westnet-all" #1: STATE_MAIN_I1: initiate
1v1 "westnet-all" #1: STATE_MAIN_I2: sent MI2, expecting MR2
1v1 "westnet-all" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "westnet-all" #1: Peer ID is ID_FQDN: '@east'
003 "westnet-all" #1: Authenticated using RSA
004 "westnet-all" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "westnet-all" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO
1v1 "westnet-all" #2: STATE_QUICK_I1: initiate
004 "westnet-all" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
west #
 ping -n -c 4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 ipsec trafficstatus
006 #2: "westnet-all", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@east'
west #
 ip route list
default via 192.1.2.254 dev eth1
25.1.0.0/16 via 192.0.1.254 dev eth0
25.2.0.0/16 via 192.1.2.45 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
192.168.1.1 via 192.0.1.254 dev eth0
192.168.1.2 via 192.1.2.45 dev eth1
192.168.1.16/28 via 192.1.2.45 dev eth1
west #
 # testing re-orienting
west #
 ipsec auto --replace westnet-all
002 "westnet-all": terminating SAs using this connection
002 "westnet-all" #2: deleting state (STATE_QUICK_I2) and sending notification
005 "westnet-all" #2: ESP traffic information: in=336B out=336B
002 "westnet-all" #1: deleting state (STATE_MAIN_I4) and sending notification
002 added connection description "westnet-all"
west #
 ipsec auto --status |grep westnet
000 "westnet-all": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===0.0.0.0/0; unrouted; eroute owner: #0
000 "westnet-all":     oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown;
000 "westnet-all":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
000 "westnet-all":   our auth:rsasig, their auth:rsasig
000 "westnet-all":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset;
000 "westnet-all":   labeled_ipsec:no;
000 "westnet-all":   policy_label:unset;
000 "westnet-all":   ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "westnet-all":   retransmit-interval: 9999ms; retransmit-timeout: 99s;
000 "westnet-all":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
000 "westnet-all":   policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO;
000 "westnet-all":   conn_prio: 24,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
000 "westnet-all":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto;
000 "westnet-all":   our idtype: ID_FQDN; our id=@west; their idtype: ID_FQDN; their id=@east
000 "westnet-all":   dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both
000 "westnet-all":   newest ISAKMP SA: #0; newest IPsec SA: #0;
west #
 echo done
done
west #
 ../../pluto/bin/ipsec-look.sh
west NOW
XFRM state:
XFRM policy:
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.2.254 dev eth1
25.1.0.0/16 via 192.0.1.254 dev eth0
25.2.0.0/16 via 192.1.2.45 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
192.168.1.1 via 192.0.1.254 dev eth0
192.168.1.2 via 192.1.2.45 dev eth1
192.168.1.16/28 via 192.1.2.45 dev eth1
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west #
 ../../pluto/bin/xfrmcheck.sh
west #
west #
 ipsec whack --shutdown
002 shutting down
west #
 ../bin/check-for-core.sh
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi