/testing/guestbin/swan-prep east # ipsec start Redirecting to: [initsystem] east # /testing/pluto/bin/wait-until-pluto-started east # ipsec auto --add northnet-eastnet 002 added connection description "northnet-eastnet/0x1" 002 added connection description "northnet-eastnet/0x2" east # ipsec auto --status | grep northnet-eastnet 000 "northnet-eastnet/0x1": 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24; unrouted; eroute owner: #0 000 "northnet-eastnet/0x1": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "northnet-eastnet/0x1": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "northnet-eastnet/0x1": our auth:secret, their auth:secret 000 "northnet-eastnet/0x1": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "northnet-eastnet/0x1": labeled_ipsec:no; 000 "northnet-eastnet/0x1": policy_label:unset; 000 "northnet-eastnet/0x1": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "northnet-eastnet/0x1": retransmit-interval: 9999ms; retransmit-timeout: 99s; 000 "northnet-eastnet/0x1": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "northnet-eastnet/0x1": policy: PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "northnet-eastnet/0x1": conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "northnet-eastnet/0x1": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "northnet-eastnet/0x1": our idtype: ID_FQDN; our id=@east; their idtype: ID_FQDN; their id=@north 000 "northnet-eastnet/0x1": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "northnet-eastnet/0x1": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "northnet-eastnet/0x1": aliases: northnet-eastnet 000 "northnet-eastnet/0x2": 192.0.2.0/24===192.1.2.23<192.1.2.23>[@east]...192.1.3.33<192.1.3.33>[@north]===192.0.3.0/24; unrouted; eroute owner: #0 000 "northnet-eastnet/0x2": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "northnet-eastnet/0x2": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "northnet-eastnet/0x2": our auth:secret, their auth:secret 000 "northnet-eastnet/0x2": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "northnet-eastnet/0x2": labeled_ipsec:no; 000 "northnet-eastnet/0x2": policy_label:unset; 000 "northnet-eastnet/0x2": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "northnet-eastnet/0x2": retransmit-interval: 9999ms; retransmit-timeout: 99s; 000 "northnet-eastnet/0x2": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "northnet-eastnet/0x2": policy: PSK+ENCRYPT+TUNNEL+PFS+OVERLAPIP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "northnet-eastnet/0x2": conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "northnet-eastnet/0x2": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "northnet-eastnet/0x2": our idtype: ID_FQDN; our id=@east; their idtype: ID_FQDN; their id=@north 000 "northnet-eastnet/0x2": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "northnet-eastnet/0x2": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "northnet-eastnet/0x2": aliases: northnet-eastnet east # ipsec whack --impair suppress-retransmits east # echo "initdone" initdone east # ipsec whack --trafficstatus 006 #2: "northnet-eastnet/0x2", type=ESP, add_time=1234567890, inBytes=0, outBytes=0, id='@north' 006 #3: "northnet-eastnet/0x2", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@north' east # # policies and state should be multiple east # ip xfrm state src 192.1.3.33 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 src 192.1.2.23 dst 192.1.3.33 proto esp spi 0xSPISPI reqid REQID mode tunnel aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 src 192.1.3.33 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 src 192.1.2.23 dst 192.1.3.33 proto esp spi 0xSPISPI reqid REQID mode tunnel aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 east # ip xfrm policy src 192.0.2.0/24 dst 192.0.3.0/24 dir out priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.3.33 src 192.0.3.0/24 dst 192.0.2.0/24 dir fwd priority 1042407 ptype main tmpl src 192.1.3.33 dst 192.1.2.23 src 192.0.3.0/24 dst 192.0.2.0/24 dir in priority 1042407 ptype main tmpl src 192.1.3.33 dst 192.1.2.23 east # east # ../bin/check-for-core.sh east # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi