/testing/guestbin/swan-prep kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # confirm that the network is alive kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 destination -I 192.0.1.254 192.0.2.254 is alive kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # ensure that clear text does not get through kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # confirm clear text does not get through kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ../../pluto/bin/ping-once.sh --down -I 192.0.1.254 192.0.2.254 ==== cut ==== ping -q -n -c 1 -i 2 -w 1 -I 192.0.1.254 192.0.2.254 ==== tuc ==== ==== cut ==== PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. --- 192.0.2.254 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms ==== tuc ==== down kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec start Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Redirecting to: /etc/init.d/ipsec start Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Error: Peer netns reference is invalid. Starting pluto IKE daemon for IPsec: kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# /testing/pluto/bin/wait-until-pluto-started kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec auto --add westnet-eastnet-compress 002 added connection description "westnet-eastnet-compress" kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec auto --status | grep westnet-eastnet-compress 000 "westnet-eastnet-compress": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24; unrouted; eroute owner: #0 000 "westnet-eastnet-compress": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "westnet-eastnet-compress": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "westnet-eastnet-compress": our auth:rsasig, their auth:rsasig 000 "westnet-eastnet-compress": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "westnet-eastnet-compress": labeled_ipsec:no; 000 "westnet-eastnet-compress": policy_label:unset; 000 "westnet-eastnet-compress": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "westnet-eastnet-compress": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "westnet-eastnet-compress": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "westnet-eastnet-compress": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "westnet-eastnet-compress": conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "westnet-eastnet-compress": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "westnet-eastnet-compress": our idtype: ID_FQDN; our id=@west; their idtype: ID_FQDN; their id=@east 000 "westnet-eastnet-compress": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "westnet-eastnet-compress": newest ISAKMP SA: #0; newest IPsec SA: #0; kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# echo "initdone" initdone kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec auto --up westnet-eastnet-compress 002 "westnet-eastnet-compress" #1: initiating Main Mode 102 "westnet-eastnet-compress" #1: STATE_MAIN_I1: initiate 104 "westnet-eastnet-compress" #1: STATE_MAIN_I2: sent MI2, expecting MR2 106 "westnet-eastnet-compress" #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 "westnet-eastnet-compress" #1: Peer ID is ID_FQDN: '@east' 003 "westnet-eastnet-compress" #1: Authenticated using RSA 004 "westnet-eastnet-compress" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} 002 "westnet-eastnet-compress" #2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:e13b5a3d proposal=defaults pfsgroup=MODP2048} 115 "westnet-eastnet-compress" #2: STATE_QUICK_I1: initiate 004 "westnet-eastnet-compress" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x9dceaea6 <0x314a04d7 xfrm=AES_CBC_128-HMAC_SHA1_96 IPCOMP=>0x000067e5 <0x0000edd8 NATOA=none NATD=none DPD=passive} kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # this ping wont be compressed kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ping -n -c 4 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. 64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.087 ms 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.092 ms 64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.458 ms 64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.109 ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 58ms rtt min/avg/max/mdev = 0.087/0.186/0.458/0.157 ms kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # test compression via large pings that can be compressed on IPCOMP SA kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ping -n -c 4 -s 8184 -p ff -I 192.0.1.254 192.0.2.254 PATTERN: 0xff PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 8184(8212) bytes of data. 8192 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.326 ms 8192 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.569 ms 8192 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.397 ms 8192 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.387 ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 82ms rtt min/avg/max/mdev = 0.326/0.419/0.569/0.093 ms kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec whack --trafficstatus 006 #2: "westnet-eastnet-compress", type=ESP, add_time=0, inBytes=657, outBytes=659, id='@east' kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ../../pluto/bin/ipsec-look.sh ==== cut ==== start raw xfrm state: src 192.0.1.0/24 dst 192.0.2.0/24 \ dir out priority 1042407 ptype main \ tmpl src 192.1.2.45 dst 192.1.2.23\ proto comp reqid 16390 mode tunnel\ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 16389 mode transport\ src 192.0.2.0/24 dst 192.0.1.0/24 \ dir fwd priority 1042407 ptype main \ tmpl src 192.1.2.23 dst 192.1.2.45\ proto comp reqid 16390 mode tunnel\ level use \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 16389 mode transport\ src 192.0.2.0/24 dst 192.0.1.0/24 \ dir in priority 1042407 ptype main \ tmpl src 192.1.2.23 dst 192.1.2.45\ proto comp reqid 16390 mode tunnel\ level use \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 16389 mode transport\ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ end raw xfrm state: ==== tuc ==== west Mon Aug 26 18:36:59 UTC 2019 XFRM state: src 192.1.2.23 dst 192.1.2.45 proto esp spi 0x314a04d7 reqid 16389 mode transport replay-window 32 auth-trunc hmac(sha1) 0xf6a8d85c17d6af2b5893ede2776ca5c3e8347d47 96 enc cbc(aes) 0x4b5cd6963dc3bd964c18ccb21208e47a anti-replay context: seq 0x8, oseq 0x0, bitmap 0x000000ff sel src 0.0.0.0/0 dst 0.0.0.0/0 src 192.1.2.23 dst 192.1.2.45 proto comp spi 0x0000edd8 reqid 16390 mode tunnel replay-window 0 flag af-unspec comp deflate anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 192.1.2.23 dst 192.1.2.45 proto 4 spi 0xc0010217 reqid 0 mode tunnel replay-window 0 flag af-unspec anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 192.1.2.45 dst 192.1.2.23 proto esp spi 0x9dceaea6 reqid 16389 mode transport replay-window 32 auth-trunc hmac(sha1) 0x47db81c0a41d3db59b73659b37b678f185ed9762 96 enc cbc(aes) 0x337003b1418849514472fe6da7544f48 anti-replay context: seq 0x0, oseq 0x8, bitmap 0x00000000 sel src 0.0.0.0/0 dst 0.0.0.0/0 src 192.1.2.45 dst 192.1.2.23 proto comp spi 0x000067e5 reqid 16390 mode tunnel replay-window 0 flag af-unspec comp deflate anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 src 192.1.2.45 dst 192.1.2.23 proto 4 spi 0xc001022d reqid 0 mode tunnel replay-window 0 flag af-unspec anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000 XFRM policy: src 192.0.1.0/24 dst 192.0.2.0/24 dir out priority 1042407 ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto comp reqid 16390 mode tunnel tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport src 192.0.2.0/24 dst 192.0.1.0/24 dir fwd priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto comp reqid 16390 mode tunnel level use tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport src 192.0.2.0/24 dst 192.0.1.0/24 dir in priority 1042407 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto comp reqid 16390 mode tunnel level use tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 16389 mode transport XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec auto --down westnet-eastnet-compress 002 "westnet-eastnet-compress": terminating SAs using this connection 002 "westnet-eastnet-compress" #2: deleting state (STATE_QUICK_I2) aged 6.896s and sending notification 005 "westnet-eastnet-compress" #2: ESP traffic information: in=657B out=659B 005 "westnet-eastnet-compress" #2: IPCOMP traffic information: in=0B out=0B 002 "westnet-eastnet-compress" #1: deleting state (STATE_MAIN_I4) aged 6.934s and sending notification kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# echo done done kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ../../pluto/bin/ipsec-look.sh ==== cut ==== start raw xfrm state: src 192.0.1.0/24 dst 192.0.2.0/24 \ dir out priority 1042407 ptype main \ tmpl src 0.0.0.0 dst 0.0.0.0\ proto esp reqid 0 mode transport\ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket out priority 0 ptype main \ src 0.0.0.0/0 dst 0.0.0.0/0 \ socket in priority 0 ptype main \ end raw xfrm state: ==== tuc ==== west Mon Aug 26 18:37:01 UTC 2019 XFRM state: XFRM policy: src 192.0.1.0/24 dst 192.0.2.0/24 dir out priority 1042407 ptype main tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid 0 mode transport XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # ==== cut ==== kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ipsec auto --status | grep westnet-eastnet-compress 000 "westnet-eastnet-compress": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===192.0.2.0/24; prospective erouted; eroute owner: #0 000 "westnet-eastnet-compress": oriented; my_ip=unset; their_ip=unset; my_updown=ipsec _updown; 000 "westnet-eastnet-compress": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "westnet-eastnet-compress": our auth:rsasig, their auth:rsasig 000 "westnet-eastnet-compress": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "westnet-eastnet-compress": labeled_ipsec:no; 000 "westnet-eastnet-compress": policy_label:unset; 000 "westnet-eastnet-compress": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "westnet-eastnet-compress": retransmit-interval: 500ms; retransmit-timeout: 60s; 000 "westnet-eastnet-compress": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "westnet-eastnet-compress": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+IKEV1_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO; 000 "westnet-eastnet-compress": conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "westnet-eastnet-compress": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "westnet-eastnet-compress": our idtype: ID_FQDN; our id=@west; their idtype: ID_FQDN; their id=@east 000 "westnet-eastnet-compress": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "westnet-eastnet-compress": newest ISAKMP SA: #0; newest IPsec SA: #0; kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # ==== tuc ==== kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# ../bin/check-for-core.sh kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi type=AVC msg=audit(1566844133.486:265910): avc: denied { write } for pid=7504 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=295084539 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 type=AVC msg=audit(1566844133.996:266013): avc: denied { write } for pid=8463 comm="ip" path="/tmp/pluto.log" dev="dm-0" ino=63889669 scontext=unconfined_u:system_r:ifconfig_t:s0 tcontext=unconfined_u:object_r:container_file_t:s0:c718,c778 tclass=file permissive=1 kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]# # ==== end ==== kroot@swantest:/home/build/libreswan/testing/pluto/compress-pluto-01\[root@west compress-pluto-01]#