/testing/guestbin/swan-prep north # # second address on north 193.1.8.22. nic gw 192.1.8.254 north # # delete the address 193.1.8.22 before re-run. otherwise pluto may choose it. north # ip addr show dev eth1 | grep 192.1.8.22 && ip addr del 192.1.8.22/24 dev eth1 north # ip route show scope global | grep "192.1.8.254" && ip route del default via 192.1.8.254 north # # add .33 for re-run north # ip addr show dev eth1 | grep 192.1.3.33 || ip addr add 192.1.3.33/24 dev eth1 inet 192.1.3.33/24 scope global eth1 north # # add default gw, it could have been deleted due address changes north # ip route | grep default || ip route add default via 192.1.3.254 default via 192.1.3.254 dev eth1 north # # routes and addresses setup for the test north # ipsec start Redirecting to: [initsystem] north # /testing/pluto/bin/wait-until-pluto-started north # ipsec auto --add northnet-eastnet 002 added connection description "northnet-eastnet" north # ipsec whack --impair suppress-retransmits north # echo "initdone" initdone north # ipsec auto --up northnet-eastnet 002 "northnet-eastnet" #1: initiating v2 parent SA 1v2 "northnet-eastnet" #1: initiate 1v2 "northnet-eastnet" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "northnet-eastnet" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} 003 "northnet-eastnet" #2: Authenticated using authby=secret 002 "northnet-eastnet" #2: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] 004 "northnet-eastnet" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=none DPD=passive} north # ping -W 1 -q -n -c 2 -I 192.0.3.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.3.254 : 56(84) bytes of data. --- 192.0.2.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms north # ipsec whack --trafficstatus 006 #2: "northnet-eastnet", type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='192.1.2.23' north # # note this end should be 192.1.3.33 north # ip xfrm state src 192.1.2.23 dst 192.1.3.33 proto esp spi 0xSPISPI reqid REQID mode tunnel enc cbc(aes) 0xENCKEY src 192.1.3.33 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel enc cbc(aes) 0xENCKEY north # ip xfrm policy src 192.0.3.0/24 dst 192.0.2.0/24 dir out priority 1042407 ptype main tmpl src 192.1.3.33 dst 192.1.2.23 src 192.0.2.0/24 dst 192.0.3.0/24 dir fwd priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.3.33 src 192.0.2.0/24 dst 192.0.3.0/24 dir in priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.3.33 north # sleep 5 north # # remove this end ip next one will take over north # ip addr del 192.1.3.33/24 dev eth1 north # ip route show scope global | grep 192.1.3.254 && ip route del default via 192.1.3.254 north # # add new address and new default route north # ip addr add 192.1.8.22/24 dev eth1 north # ip route show scope global | grep 192.1.8.254 || ip route add default via 192.1.8.254 north # # let libreswan detect change and do a MOBIKE update north # sleep 8 north # # MOBIKE update and ping should work north # # note this end should be 192.1.8.22 north # ping -W 1 -q -n -c 2 -I 192.0.3.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.3.254 : 56(84) bytes of data. --- 192.0.2.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms north # echo done done north # ipsec whack --trafficstatus 006 #2: "northnet-eastnet", type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='192.1.2.23' north # ../../pluto/bin/ipsec-look.sh north NOW XFRM state: src 192.1.2.23 dst 192.1.8.22 proto esp spi 0xSPISPI reqid REQID mode tunnel enc cbc(aes) 0xENCKEY src 192.1.8.22 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel enc cbc(aes) 0xENCKEY XFRM policy: src 192.0.2.0/24 dst 192.0.3.0/24 dir fwd priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.8.22 src 192.0.2.0/24 dst 192.0.3.0/24 dir in priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.8.22 src 192.0.3.0/24 dst 192.0.2.0/24 dir out priority 1042407 ptype main tmpl src 192.1.8.22 dst 192.1.2.23 XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.8.254 dev eth1 192.0.3.0/24 dev eth0 proto kernel scope link src 192.0.3.254 192.1.8.0/24 dev eth1 proto kernel scope link src 192.1.8.22 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI north # north # ../bin/check-for-core.sh north # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi