/testing/guestbin/swan-prep west # # confirm that the network is alive west # ../../pluto/bin/wait-until-alive 192.1.2.23 destination 192.1.2.23 is alive west # # ensure that clear text does not get through west # iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP west # iptables -A INPUT -i eth1 -s 10.0.2.0/24 -j DROP west # iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT west # # remove this address from eth0. It will come back on vti west # ip addr show dev eth0 | grep 192.0.1.254 && ip addr del 192.0.1.254/24 dev eth0 inet 192.0.1.254/24 scope global eth0 west # ipsec start Redirecting to: [initsystem] west # /testing/pluto/bin/wait-until-pluto-started west # ipsec auto --add westnet-eastnet-vti-01 002 added connection description "westnet-eastnet-vti-01" west # ipsec auto --add westnet-eastnet-vti-02 002 added connection description "westnet-eastnet-vti-02" west # # remove the regular route for 192.0.2.0/24 west # ip route del 192.0.2.0/24 west # echo "initdone" initdone west # ipsec auto --up westnet-eastnet-vti-01 002 "westnet-eastnet-vti-01" #1: initiating v2 parent SA 1v2 "westnet-eastnet-vti-01" #1: initiate 1v2 "westnet-eastnet-vti-01" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "westnet-eastnet-vti-01" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} 002 "westnet-eastnet-vti-01" #2: IKEv2 mode peer ID is ID_FQDN: '@east' 003 "westnet-eastnet-vti-01" #2: Authenticated using RSA 002 "westnet-eastnet-vti-01" #2: up-client output: net.ipv4.conf.ipsec0.disable_policy = 1 002 "westnet-eastnet-vti-01" #2: up-client output: net.ipv4.conf.ipsec0.rp_filter = 0 002 "westnet-eastnet-vti-01" #2: up-client output: net.ipv4.conf.ipsec0.forwarding = 1 002 "westnet-eastnet-vti-01" #2: up-client output: done ip route 002 "westnet-eastnet-vti-01" #2: prepare-client output: vti interface "ipsec0" already exists with conflicting setting 002 "westnet-eastnet-vti-01" #2: prepare-client output: existing: ipsec0: ip/ip remote any local 192.1.2.45 ttl inherit ikey 20 okey 21 002 "westnet-eastnet-vti-01" #2: prepare-client output: wanted : ipsec0: ip/ip remote any local 192.1.2.45 ttl inherit key 21 002 "westnet-eastnet-vti-01" #2: route-client output: done ip route 002 "westnet-eastnet-vti-01" #2: negotiated connection [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] 004 "westnet-eastnet-vti-01" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} west # ipsec auto --up westnet-eastnet-vti-02 1v2 "westnet-eastnet-vti-02" #3: STATE_V2_CREATE_I: sent IPsec Child req wait response 002 "westnet-eastnet-vti-02" #3: up-client output: vti interface "ipsec0" already exists with conflicting setting 002 "westnet-eastnet-vti-02" #3: up-client output: existing: ipsec0: ip/ip remote any local 192.1.2.45 ttl inherit ikey 20 okey 21 002 "westnet-eastnet-vti-02" #3: up-client output: wanted : ipsec0: ip/ip remote any local 192.1.2.45 ttl inherit key 21 002 "westnet-eastnet-vti-02" #3: up-client output: done ip route 002 "westnet-eastnet-vti-02" #3: prepare-client output: vti interface "ipsec0" already exists with conflicting setting 002 "westnet-eastnet-vti-02" #3: prepare-client output: existing: ipsec0: ip/ip remote any local 192.1.2.45 ttl inherit ikey 20 okey 21 002 "westnet-eastnet-vti-02" #3: prepare-client output: wanted : ipsec0: ip/ip remote any local 192.1.2.45 ttl inherit key 21 002 "westnet-eastnet-vti-02" #3: route-client output: RTNETLINK answers: File exists 002 "westnet-eastnet-vti-02" #3: route-client output: done ip route 002 "westnet-eastnet-vti-02" #3: negotiated connection [10.0.1.0-10.0.1.255:0-65535 0] -> [10.0.2.0-10.0.2.255:0-65535 0] 004 "westnet-eastnet-vti-02" #3: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE-MODP2048 NATOA=none NATD=none DPD=passive} west # ping -n -c 4 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. 64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms west # ping -n -c 4 -I 10.0.1.254 10.0.2.254 bind: Cannot assign requested address west # ipsec whack --trafficstatus 006 #2: "westnet-eastnet-vti-01", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@east' 006 #3: "westnet-eastnet-vti-02", type=ESP, add_time=1234567890, inBytes=0, outBytes=0, id='@east' west # echo done done west # grep -v -P "\t0$" /proc/net/xfrm_stat west # ip addr show 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 2: ip_vti0@NONE: mtu XXXX qdisc noop state DOWN group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 3: ipsec0@NONE: mtu 1480 qdisc noqueue state UNKNOWN group default qlen 1000 link/ipip 192.1.2.45 brd 0.0.0.0 inet 192.0.1.254/24 scope global ipsec0 valid_lft forever preferred_lft forever 18242: eth0@if18243: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether b2:da:e3:1d:bd:ae brd ff:ff:ff:ff:ff:ff link-netnsid 0 18247: eth1@if18248: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fe:39:06:d4:68:36 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.1.2.45/24 scope global eth1 valid_lft forever preferred_lft forever west # ip link show 1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: ip_vti0@NONE: mtu XXXX qdisc noop state DOWN mode DEFAULT group default qlen 1000 link/ipip 0.0.0.0 brd 0.0.0.0 3: ipsec0@NONE: mtu 1480 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/ipip 192.1.2.45 brd 0.0.0.0 18242: eth0@if18243: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether b2:da:e3:1d:bd:ae brd ff:ff:ff:ff:ff:ff link-netnsid 0 18247: eth1@if18248: mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether fe:39:06:d4:68:36 brd ff:ff:ff:ff:ff:ff link-netnsid 0 west # ip route show default via 192.1.2.254 dev eth1 10.0.2.0/24 dev ipsec0 scope link 192.0.1.0/24 dev ipsec0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 dev ipsec0 scope link 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 192.1.2.254 dev eth1 scope link west # ip xfrm state src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xSPISPI reqid REQID mode tunnel aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 src 192.1.2.45 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xSPISPI reqid REQID mode tunnel aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 src 192.1.2.45 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 west # ip xfrm policy src 10.0.1.0/24 dst 10.0.2.0/24 dir out priority 1042407 ptype main mark 0x15/0xffffffff tmpl src 192.1.2.45 dst 192.1.2.23 src 10.0.2.0/24 dst 10.0.1.0/24 dir fwd priority 1042407 ptype main mark 0x14/0xffffffff tmpl src 192.1.2.23 dst 192.1.2.45 src 10.0.2.0/24 dst 10.0.1.0/24 dir in priority 1042407 ptype main mark 0x14/0xffffffff tmpl src 192.1.2.23 dst 192.1.2.45 src 192.0.1.0/24 dst 192.0.2.0/24 dir out priority 1042407 ptype main mark 0x15/0xffffffff tmpl src 192.1.2.45 dst 192.1.2.23 src 192.0.2.0/24 dst 192.0.1.0/24 dir fwd priority 1042407 ptype main mark 0x14/0xffffffff tmpl src 192.1.2.23 dst 192.1.2.45 src 192.0.2.0/24 dst 192.0.1.0/24 dir in priority 1042407 ptype main mark 0x14/0xffffffff tmpl src 192.1.2.23 dst 192.1.2.45 west # west # ../bin/check-for-core.sh west # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi