/testing/guestbin/swan-prep north # # second address on north 193.1.8.22. nic gw 192.1.8.254 north # # delete the address 193.1.8.22 before re-run. otherwise pluto may choose it. north # ip addr show dev eth1 | grep 192.1.8.22 && ip addr del 192.1.8.22/24 dev eth1 north # ip route show scope global | grep "192.1.8.254" && ip route del default via 192.1.8.254 north # # add .33 for re-run north # ip addr show dev eth1 | grep 192.1.3.33 || ip addr add 192.1.3.33/24 dev eth1 inet 192.1.3.33/24 brd 192.1.3.255 scope global eth1 north # ip addr add 192.1.8.22/24 dev eth1 north # # add default gw, it could have been deleted due address changes north # ip route | grep default || ip route add default via 192.1.3.254 default via 192.1.3.254 dev eth1 north # # routes and addresses setup for the test north # ipsec start Redirecting to: [initsystem] north # /testing/pluto/bin/wait-until-pluto-started north # ipsec auto --add northnet-eastnet 002 added connection description "northnet-eastnet" north # echo "initdone" initdone north # ipsec auto --up northnet-eastnet 002 "northnet-eastnet" #1: initiating v2 parent SA 1v2 "northnet-eastnet" #1: initiate 1v2 "northnet-eastnet" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "northnet-eastnet" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} 003 "northnet-eastnet" #2: Authenticated using authby=secret 002 "northnet-eastnet" #2: negotiated connection [192.0.3.0-192.0.3.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] 004 "northnet-eastnet" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_128-NONE NATOA=none NATD=none DPD=passive} north # ping -W 1 -q -n -c 2 -I 192.0.3.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.3.254 : 56(84) bytes of data. --- 192.0.2.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms north # ipsec whack --trafficstatus 006 #2: "northnet-eastnet", type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='192.1.2.23' north # # note this end should be 192.1.3.33 north # ip xfrm state src 192.1.2.23 dst 192.1.3.33 proto esp spi 0xSPISPI reqid REQID mode tunnel aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 src 192.1.3.33 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 north # ip xfrm policy src 192.0.3.0/24 dst 192.0.2.0/24 dir out priority 1042407 ptype main tmpl src 192.1.3.33 dst 192.1.2.23 src 192.0.2.0/24 dst 192.0.3.0/24 dir fwd priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.3.33 src 192.0.2.0/24 dst 192.0.3.0/24 dir in priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.3.33 north # sleep 5 north # # remove this end ip next one will take over north # ip route show scope global | grep 192.1.3.254 && ip route del default via 192.1.3.254 default via 192.1.3.254 dev eth1 192.0.1.0/24 via 192.1.3.254 dev eth1 192.0.2.0/24 via 192.1.3.254 dev eth1 192.1.2.0/24 via 192.1.3.254 dev eth1 north # ip route show scope global | grep 192.1.8.254 || ip route add default via 192.1.8.254 north # ip addr del 192.1.3.33/24 dev eth1 north # # let libreswan detect change and do a MOBIKE update north # sleep 10 north # # MOBIKE update and ping should work north # # note this end should be 192.1.8.22 north # ping -W 1 -q -n -c 4 -I 192.0.3.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.3.254 : 56(84) bytes of data. --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms north # echo done done north # ipsec whack --trafficstatus 006 #2: "northnet-eastnet", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='192.1.2.23' north # ip xfrm state src 192.1.2.23 dst 192.1.8.22 proto esp spi 0xSPISPI reqid REQID mode tunnel aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 src 192.1.8.22 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 north # ip xfrm policy src 192.0.3.0/24 dst 192.0.2.0/24 dir out priority 1042407 ptype main tmpl src 192.1.8.22 dst 192.1.2.23 src 192.0.2.0/24 dst 192.0.3.0/24 dir fwd priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.8.22 src 192.0.2.0/24 dst 192.0.3.0/24 dir in priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.8.22 north # north # ../bin/check-for-core.sh north # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi