--- west.console.txt 1970-01-01 00:00:00.000000000 +0000 +++ OUTPUT/west.console.txt 2019-08-26 13:21:39.835318171 +0000 @@ -0,0 +1,76 @@ +/testing/guestbin/swan-prep --x509 --x509name east +Preparing X.509 files +west # + # confirm that the network is alive +west # + ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 +destination -I 192.0.1.254 192.0.2.254 is alive +west # + # ensure that clear text does not get through +west # + iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP +west # + iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT +west # + # confirm clear text does not get through +west # + ../../pluto/bin/ping-once.sh --down -I 192.0.1.254 192.0.2.254 +down +west # + ipsec start +Redirecting to: [initsystem] +west # + /testing/pluto/bin/wait-until-pluto-started +west # + ipsec auto --add westnet-eastnet-ikev2 +002 added connection description "westnet-eastnet-ikev2" +west # + ipsec auto --status | grep westnet-eastnet-ikev2 +000 "westnet-eastnet-ikev2": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org]===192.0.2.0/24; unrouted; eroute owner: #0 +000 "westnet-eastnet-ikev2": oriented; my_ip=unset; their_ip=unset; hiscert=east; my_updown=ipsec _updown; +000 "westnet-eastnet-ikev2": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] +000 "westnet-eastnet-ikev2": our auth:rsasig, their auth:rsasig +000 "westnet-eastnet-ikev2": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; +000 "westnet-eastnet-ikev2": labeled_ipsec:no; +000 "westnet-eastnet-ikev2": policy_label:unset; +000 "westnet-eastnet-ikev2": CAs: '%any'...'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' +000 "westnet-eastnet-ikev2": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; +000 "westnet-eastnet-ikev2": retransmit-interval: 9999ms; retransmit-timeout: 99s; +000 "westnet-eastnet-ikev2": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; +000 "westnet-eastnet-ikev2": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; +000 "westnet-eastnet-ikev2": conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; +000 "westnet-eastnet-ikev2": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; +000 "westnet-eastnet-ikev2": our idtype: ID_FQDN; our id=@west; their idtype: ID_DER_ASN1_DN; their id=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org +000 "westnet-eastnet-ikev2": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both +000 "westnet-eastnet-ikev2": newest ISAKMP SA: #0; newest IPsec SA: #0; +west # + echo "initdone" +initdone +west # + ipsec auto --up westnet-eastnet-ikev2 +002 "westnet-eastnet-ikev2" #1: initiating v2 parent SA +1v2 "westnet-eastnet-ikev2" #1: initiate +1v2 "westnet-eastnet-ikev2" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 +1v2 "westnet-eastnet-ikev2" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} +002 "westnet-eastnet-ikev2" #2: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "westnet-eastnet-ikev2" #2: scheduling retry attempt 1 of an unlimited number, but releasing whack +west # + ping -n -c 4 -I 192.0.1.254 192.0.2.254 +PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. +--- 192.0.2.254 ping statistics --- +4 packets transmitted, 0 received, 100% packet loss, time XXXX +west # + ipsec whack --trafficstatus +west # + echo done +done +west # + grep IKEv2_AUTH_ OUTPUT/*pluto.log +OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) +OUTPUT/west.pluto.log:| auth method: IKEv2_AUTH_RSA (0x1) +west # +west # + ../bin/check-for-core.sh +west # + if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi +