/testing/guestbin/swan-prep road # ifconfig eth0 192.1.3.194 netmask 255.255.255.0 road # route add -net default gw 192.1.3.254 road # ipsec start Redirecting to: [initsystem] road # /testing/pluto/bin/wait-until-pluto-started road # ipsec auto --add modecfg-road-eastnet-psk 002 added connection description "modecfg-road-eastnet-psk" road # echo "initdone" initdone road # ipsec auto --replace modecfg-road-eastnet-psk 002 "modecfg-road-eastnet-psk": terminating SAs using this connection 002 added connection description "modecfg-road-eastnet-psk" road # ipsec whack --status | grep modecfg-road-eastnet-psk 000 "modecfg-road-eastnet-psk": 192.1.3.194[@roadrandom,+MC+XC+S=C]---192.1.3.254...192.1.2.23<192.1.2.23>[@east,MS+XS+S=C]===192.0.2.0/24; unrouted; eroute owner: #0 000 "modecfg-road-eastnet-psk": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "modecfg-road-eastnet-psk": xauth us:client, xauth them:server, my_username=[any]; their_username=[any] 000 "modecfg-road-eastnet-psk": our auth:secret, their auth:secret 000 "modecfg-road-eastnet-psk": modecfg info: us:client, them:server, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "modecfg-road-eastnet-psk": labeled_ipsec:no; 000 "modecfg-road-eastnet-psk": policy_label:unset; 000 "modecfg-road-eastnet-psk": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "modecfg-road-eastnet-psk": retransmit-interval: 9999ms; retransmit-timeout: 99s; 000 "modecfg-road-eastnet-psk": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "modecfg-road-eastnet-psk": policy: PSK+ENCRYPT+TUNNEL+PFS+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "modecfg-road-eastnet-psk": conn_prio: 32,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "modecfg-road-eastnet-psk": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "modecfg-road-eastnet-psk": our idtype: ID_FQDN; our id=@roadrandom; their idtype: ID_FQDN; their id=@east 000 "modecfg-road-eastnet-psk": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "modecfg-road-eastnet-psk": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "modecfg-road-eastnet-psk": IKE algorithms: 3DES_CBC-HMAC_SHA1-MODP2048, 3DES_CBC-HMAC_SHA1-MODP1536 road # ipsec whack --xauthname 'use3' --xauthpass 'use1pass' --name modecfg-road-eastnet-psk --initiate 003 "modecfg-road-eastnet-psk": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's 003 "modecfg-road-eastnet-psk" #1: multiple DH groups in aggressive mode can cause interop failure 003 "modecfg-road-eastnet-psk" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5 002 "modecfg-road-eastnet-psk" #1: initiating Aggressive Mode 003 "modecfg-road-eastnet-psk" #1: multiple DH groups in aggressive mode can cause interop failure 003 "modecfg-road-eastnet-psk" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5 1v1 "modecfg-road-eastnet-psk" #1: STATE_AGGR_I1: initiate 002 "modecfg-road-eastnet-psk" #1: Peer ID is ID_FQDN: '@east' 002 "modecfg-road-eastnet-psk" #1: Peer ID is ID_FQDN: '@east' 004 "modecfg-road-eastnet-psk" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536} 041 "modecfg-road-eastnet-psk" #1: modecfg-road-eastnet-psk prompt for Username: 040 "modecfg-road-eastnet-psk" #1: modecfg-road-eastnet-psk prompt for Password: 002 "modecfg-road-eastnet-psk" #1: XAUTH: Answering XAUTH challenge with user='use3' 004 "modecfg-road-eastnet-psk" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536} 002 "modecfg-road-eastnet-psk" #1: XAUTH: Successfully Authenticated 004 "modecfg-road-eastnet-psk" #1: STATE_XAUTH_I1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536} 002 "modecfg-road-eastnet-psk" #1: Received IP address 10.9.2.209/32 002 "modecfg-road-eastnet-psk" #1: setting ip source address to 10.9.2.209/32 004 "modecfg-road-eastnet-psk" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=3DES_CBC_192 integ=HMAC_SHA1 group=MODP1536} 002 "modecfg-road-eastnet-psk" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+AGGRESSIVE+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO 1v1 "modecfg-road-eastnet-psk" #2: STATE_QUICK_I1: initiate 004 "modecfg-road-eastnet-psk" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive username=use3} road # ping -c4 192.0.2.254 PING 192.0.2.254 (192.0.2.254) 56(84) bytes of data. 64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms road # echo done. done. road # ../../pluto/bin/ipsec-look.sh road NOW XFRM state: src 192.1.2.23 dst 192.1.3.194 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0xHASHKEY 96 enc cbc(aes) 0xENCKEY src 192.1.3.194 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha1) 0xHASHKEY 96 enc cbc(aes) 0xENCKEY XFRM policy: src 10.9.2.209/32 dst 192.0.2.0/24 dir out priority 1040359 ptype main tmpl src 192.1.3.194 dst 192.1.2.23 proto esp reqid REQID mode tunnel src 192.0.2.0/24 dst 10.9.2.209/32 dir fwd priority 1040359 ptype main tmpl src 192.1.2.23 dst 192.1.3.194 proto esp reqid REQID mode tunnel src 192.0.2.0/24 dst 10.9.2.209/32 dir in priority 1040359 ptype main tmpl src 192.1.2.23 dst 192.1.3.194 proto esp reqid REQID mode tunnel XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.3.254 dev eth0 192.0.2.0/24 via 192.1.3.254 dev eth0 src 10.9.2.209 192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.194 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI road # road # ../bin/check-for-core.sh road # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi