/testing/guestbin/swan-prep --x509 Preparing X.509 files north # certutil -D -n road -d sql:/etc/ipsec.d north # certutil -D -n north -d sql:/etc/ipsec.d north # certutil -D -n east -d sql:/etc/ipsec.d north # cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf north # cp policies/* /etc/ipsec.d/policies/ north # echo "192.1.2.0/24" >> /etc/ipsec.d/policies/private-or-clear north # restorecon -R /etc/ipsec.d north # ipsec start Redirecting to: [initsystem] north # /testing/pluto/bin/wait-until-pluto-started north # ipsec whack --impair suppress-retransmits north # # ensure for tests acquires expire before our failureshunt=2m north # echo 30 > /proc/sys/net/core/xfrm_acq_expires north # # give OE policies time to load north # sleep 5 north # # one packet, which gets eaten by XFRM, so east does not initiate north # ping -n -c 1 -I 192.1.3.33 192.1.2.23 PING 192.1.2.23 (192.1.2.23) from 192.1.3.33 : 56(84) bytes of data. --- 192.1.2.23 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time XXXX north # # wait on OE IKE negotiation north # sleep 1 north # ping -n -c 2 -I 192.1.3.33 192.1.2.23 PING 192.1.2.23 (192.1.2.23) from 192.1.3.33 : 56(84) bytes of data. --- 192.1.2.23 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time XXXX north # # ping should succeed through tunnel north # # should show established tunnel and no bare shunts north # ipsec whack --trafficstatus north # ipsec whack --shuntstatus 000 Bare Shunt list: 000 north # ../../pluto/bin/ipsec-look.sh north NOW XFRM state: src 192.1.2.23 dst 192.1.3.33 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 sel src 192.1.2.23/32 dst 192.1.3.33/32 src 192.1.3.33 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode transport replay-window 0 sel src 192.1.3.33/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth1 XFRM policy: src 192.1.2.253/32 dst 192.1.3.33/32 dir fwd priority 1564639 ptype main src 192.1.2.253/32 dst 192.1.3.33/32 dir in priority 1564639 ptype main src 192.1.3.253/32 dst 192.1.3.33/32 dir fwd priority 1564639 ptype main src 192.1.3.253/32 dst 192.1.3.33/32 dir in priority 1564639 ptype main src 192.1.3.254/32 dst 192.1.3.33/32 dir fwd priority 1564639 ptype main src 192.1.3.254/32 dst 192.1.3.33/32 dir in priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.2.253/32 dir out priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.3.253/32 dir out priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.3.254/32 dir out priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.2.0/24 dir out priority 1564647 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid REQID mode transport src 192.1.3.33/32 dst 192.1.2.23/32 dir out priority 1564647 ptype main XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.3.254 dev eth1 192.0.3.0/24 dev eth0 proto kernel scope link src 192.0.3.254 192.1.3.0/24 dev eth1 proto kernel scope link src 192.1.3.33 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Libreswan test CA for mainca - Libreswan CT,, east-ec P,, hashsha1 P,, nic P,, west P,, west-ec P,, north # iptables -t nat -L -n Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination north # echo done done north # echo "initdone" initdone north # # A tunnel should have established with non-zero byte counters north # ping -n -c 4 192.1.2.23 PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data. --- 192.1.2.23 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time XXXX north # # jacob two two for east? north # ipsec whack --trafficstatus north # ipsec whack --trafficstatus north # ../../pluto/bin/ipsec-look.sh | sed "s/\(.\)port [0-9][0-9][0-9][0-9] /\1port XXXX /g" north NOW XFRM state: src 192.1.3.33 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode transport replay-window 0 sel src 192.1.3.33/32 dst 192.1.2.23/32 proto udp sport SPORT dport XXXX dev eth1 src 192.1.2.23 dst 192.1.3.33 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 sel src 192.1.2.23/32 dst 192.1.3.33/32 XFRM policy: src 192.1.2.253/32 dst 192.1.3.33/32 dir fwd priority 1564639 ptype main src 192.1.2.253/32 dst 192.1.3.33/32 dir in priority 1564639 ptype main src 192.1.3.253/32 dst 192.1.3.33/32 dir fwd priority 1564639 ptype main src 192.1.3.253/32 dst 192.1.3.33/32 dir in priority 1564639 ptype main src 192.1.3.254/32 dst 192.1.3.33/32 dir fwd priority 1564639 ptype main src 192.1.3.254/32 dst 192.1.3.33/32 dir in priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.2.253/32 dir out priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.3.253/32 dir out priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.3.254/32 dir out priority 1564639 ptype main src 192.1.3.33/32 dst 192.1.2.0/24 dir out priority 1564647 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid REQID mode transport src 192.1.3.33/32 dst 192.1.2.23/32 dir out priority 1564647 ptype main XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.3.254 dev eth1 192.0.3.0/24 dev eth0 proto kernel scope link src 192.0.3.254 192.1.3.0/24 dev eth1 proto kernel scope link src 192.1.3.33 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Libreswan test CA for mainca - Libreswan CT,, east-ec P,, hashsha1 P,, nic P,, west P,, west-ec P,, north # # you should see both RSA and NULL north # grep IKEv2_AUTH_ /tmp/pluto.log | auth method: IKEv2_AUTH_NULL (0xd) | auth method: IKEv2_AUTH_RSA (0x1) | auth method: IKEv2_AUTH_NULL (0xd) | auth method: IKEv2_AUTH_RSA (0x1) north # north # ../bin/check-for-core.sh north # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi