/testing/guestbin/swan-prep kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # confirm that the network is alive kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 destination -I 192.0.1.254 192.0.2.254 is alive kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # ensure that clear text does not get through kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # confirm clear text does not get through kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ../../pluto/bin/ping-once.sh --down -I 192.0.1.254 192.0.2.254 ==== cut ==== ping -q -n -c 1 -i 2 -w 1 -I 192.0.1.254 192.0.2.254 ==== tuc ==== ==== cut ==== PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. --- 192.0.2.254 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms ==== tuc ==== down kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec start Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Redirecting to: /etc/init.d/ipsec start Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Starting pluto IKE daemon for IPsec: kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# /testing/pluto/bin/wait-until-pluto-started kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec auto --add westnet-eastnet-compress 002 added connection description "westnet-eastnet-compress" kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec auto --status | grep westnet-eastnet-compress 000 "westnet-eastnet-compress": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24; unrouted; eroute owner: #0 000 "westnet-eastnet-compress": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "westnet-eastnet-compress": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "westnet-eastnet-compress": our auth:rsasig, their auth:rsasig 000 "westnet-eastnet-compress": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "westnet-eastnet-compress": labeled_ipsec:no; 000 "westnet-eastnet-compress": policy_label:unset; 000 "westnet-eastnet-compress": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "westnet-eastnet-compress": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "westnet-eastnet-compress": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "westnet-eastnet-compress": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "westnet-eastnet-compress": conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "westnet-eastnet-compress": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "westnet-eastnet-compress": our idtype: ID_FQDN; our id=@west; their idtype: ID_FQDN; their id=@east 000 "westnet-eastnet-compress": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "westnet-eastnet-compress": newest ISAKMP SA: #0; newest IPsec SA: #0; kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# echo "initdone" initdone kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec auto --up westnet-eastnet-compress 002 "westnet-eastnet-compress" #1: initiating Main Mode 102 "westnet-eastnet-compress" #1: STATE_MAIN_I1: initiate 104 "westnet-eastnet-compress" #1: STATE_MAIN_I2: sent MI2, expecting MR2 106 "westnet-eastnet-compress" #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 "westnet-eastnet-compress" #1: Peer ID is ID_FQDN: '@east' 003 "westnet-eastnet-compress" #1: Authenticated using RSA 004 "westnet-eastnet-compress" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} 002 "westnet-eastnet-compress" #2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:ac8457b8 proposal=defaults pfsgroup=MODP2048} 115 "westnet-eastnet-compress" #2: STATE_QUICK_I1: initiate 004 "westnet-eastnet-compress" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xd2c87e41 <0x98847a9d xfrm=AES_CBC_128-HMAC_SHA1_96 IPCOMP=>0x0000df40 <0x00007d56 NATOA=none NATD=none DPD=passive} kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # this ping wont be compressed kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ping -n -c 4 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. 64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.089 ms 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.082 ms 64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.100 ms 64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.109 ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 67ms rtt min/avg/max/mdev = 0.082/0.095/0.109/0.010 ms kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # test compression via large pings that can be compressed on IPCOMP SA kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ping -n -c 4 -s 8184 -p ff -I 192.0.1.254 192.0.2.254 PATTERN: 0xff PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 8184(8212) bytes of data. 8192 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.480 ms 8192 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.457 ms 8192 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.434 ms 8192 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.283 ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 77ms rtt min/avg/max/mdev = 0.283/0.413/0.480/0.079 ms kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec whack --trafficstatus 006 #2: "westnet-eastnet-compress", type=ESP, add_time=0, inBytes=658, outBytes=662, id='@east' kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ../../pluto/bin/ipsec-look.sh ==== cut ==== start raw xfrm state: src 192.0.1.0/24 dst 192.0.2.0/24 \ dir out priority 1042407 ptype main \ tmpl src 192.1.2.45 dst 192.1.2.23\ proto comp reqid 16390 mode tunnel\ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 16389 mode transport\ src 192.0.2.0/24 dst 192.0.1.0/24 \ dir fwd priority 1042407 ptype main \ tmpl src 192.1.2.23 dst 192.1.2.45\ proto comp reqid 16390 mode tunnel\ level use \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 16389 mode transport\ src 192.0.2.0/24 dst 192.0.1.0/24 \ dir in priority 1042407 ptype main \ tmpl src 192.1.2.23 dst 192.1.2.45\ proto comp reqid 16390 mode tunnel\ level use \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 16389 mode transport\ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ end raw xfrm state: ==== tuc ==== west Mon Aug 26 13:27:55 UTC 2019 XFRM state: src 192.1.2.23 dst 192.1.2.45 proto esp spi 0x98847a9d reqid 16389 mode transport replay-window 32 auth-trunc hmac(sha1) 0x4a61a308af5edc3dbadfc2bd4df25962159c441f 96 enc cbc(aes) 0x044522d72e12b060a5337334d41bb5de anti-replay context: seq 0x8, oseq 0x0, bitmap 0x000000ff sel src 0.0.0.0/0 dst 0.0.0.0/0 src 192.1.2.23 dst 192.1.2.45 proto comp spi 0x00007d56 reqid 16390 mode tunnel replay-window 0 flag af-unspec comp deflate anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 192.1.2.23 dst 192.1.2.45 proto 4 spi 0xc0010217 reqid 0 mode tunnel replay-window 0 flag af-unspec anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 192.1.2.45 dst 192.1.2.23 proto esp spi 0xd2c87e41 reqid 16389 mode transport replay-window 32 auth-trunc hmac(sha1) 0xc156f1e1750cdb584562acd43b1f299f8d2cd931 96 enc cbc(aes) 0xf42568a3d90ee7a45a4435c3729c433b anti-replay context: seq 0x0, oseq 0x8, bitmap 0x00000000 sel src 0.0.0.0/0 dst 0.0.0.0/0 src 192.1.2.45 dst 192.1.2.23 proto comp spi 0x0000df40 reqid 16390 mode tunnel replay-window 0 flag af-unspec comp deflate anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 192.1.2.45 dst 192.1.2.23 proto 4 spi 0xc001022d reqid 0 mode tunnel replay-window 0 flag af-unspec anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 XFRM policy: src 192.0.1.0/24 dst 192.0.2.0/24 dir out priority 1042407 ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto comp reqid 16390 mode tunnel tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport src 192.0.2.0/24 dst 192.0.1.0/24 dir fwd priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto comp reqid 16390 mode tunnel level use tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport src 192.0.2.0/24 dst 192.0.1.0/24 dir in priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto comp reqid 16390 mode tunnel level use tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec auto --down westnet-eastnet-compress 002 "westnet-eastnet-compress": terminating SAs using this connection 002 "westnet-eastnet-compress" #2: deleting state (STATE_QUICK_I2) aged 6.753s and sending notification 005 "westnet-eastnet-compress" #2: ESP traffic information: in=658B out=662B 005 "westnet-eastnet-compress" #2: IPCOMP traffic information: in=0B out=0B 002 "westnet-eastnet-compress" #1: deleting state (STATE_MAIN_I4) aged 6.775s and sending notification kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# echo done done kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ../../pluto/bin/ipsec-look.sh ==== cut ==== start raw xfrm state: src 192.0.1.0/24 dst 192.0.2.0/24 \ dir out priority 1042407 ptype main \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 0 mode transport\ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ end raw xfrm state: ==== tuc ==== west Mon Aug 26 13:27:56 UTC 2019 XFRM state: XFRM policy: src 192.0.1.0/24 dst 192.0.2.0/24 dir out priority 1042407 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 0 mode transport XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # ==== cut ==== kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec auto --status | grep westnet-eastnet-compress 000 "westnet-eastnet-compress": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24; prospective erouted; eroute owner: #0 000 "westnet-eastnet-compress": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "westnet-eastnet-compress": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "westnet-eastnet-compress": our auth:rsasig, their auth:rsasig 000 "westnet-eastnet-compress": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "westnet-eastnet-compress": labeled_ipsec:no; 000 "westnet-eastnet-compress": policy_label:unset; 000 "westnet-eastnet-compress": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "westnet-eastnet-compress": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "westnet-eastnet-compress": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "westnet-eastnet-compress": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "westnet-eastnet-compress": conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "westnet-eastnet-compress": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "westnet-eastnet-compress": our idtype: ID_FQDN; our id=@west; their idtype: ID_FQDN; their id=@east 000 "westnet-eastnet-compress": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "westnet-eastnet-compress": newest ISAKMP SA: #0; newest IPsec SA: #0; kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # ==== tuc ==== kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ../bin/check-for-core.sh kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi type=AVC msg=audit(1566826076.697:229408): avc: denied { write } for pid=25179 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=1016641018 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # ==== end ==== kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]#