--- west.console.txt 2019-08-24 18:12:56.232675370 +0000 +++ OUTPUT/west.console.txt 2019-08-26 18:28:42.223323054 +0000 @@ -17,7 +17,6 @@ # confirm clear text does not get through west # ../../pluto/bin/ping-once.sh --down -I 192.0.1.254 192.0.2.254 -[ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=XXXX TOS=0x00 PREC=0x00 TTL=64 ID=XXXXX PROTO=ICMP TYPE=0 CODE=0 ID=XXXX SEQ=1 down west # ipsec start @@ -36,24 +35,16 @@ 1v2 "ikev2-westnet-eastnet-x509-cr" #1: initiate 1v2 "ikev2-westnet-eastnet-x509-cr" #1: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "ikev2-westnet-eastnet-x509-cr" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} -002 "ikev2-westnet-eastnet-x509-cr" #2: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA -002 "ikev2-westnet-eastnet-x509-cr" #2: IKEv2 mode peer ID is ID_DER_ASN1_DN: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' -003 "ikev2-westnet-eastnet-x509-cr" #2: Authenticated using RSA -002 "ikev2-westnet-eastnet-x509-cr" #2: negotiated connection [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] -004 "ikev2-westnet-eastnet-x509-cr" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} +002 "ikev2-westnet-eastnet-x509-cr" #2: IKE SA authentication request rejected by peer: AUTHENTICATION_FAILED +000 "ikev2-westnet-eastnet-x509-cr" #2: scheduling retry attempt 1 of an unlimited number, but releasing whack west # ping -n -c4 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. -64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms -64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms -64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms -64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms --- 192.0.2.254 ping statistics --- -4 packets transmitted, 4 received, 0% packet loss, time XXXX -rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms +4 packets transmitted, 0 received, 100% packet loss, time XXXX west # ipsec whack --trafficstatus -006 #2: "ikev2-westnet-eastnet-x509-cr", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org' +whack: is Pluto running? connect() for "/run/pluto/pluto.ctl" failed (111 Connection refused) west # echo "done" done @@ -63,32 +54,16 @@ XFRM state: src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xSPISPI reqid REQID mode tunnel - replay-window 32 flag af-unspec - aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 -src 192.1.2.45 dst 192.1.2.23 - proto esp spi 0xSPISPI reqid REQID mode tunnel - replay-window 32 flag af-unspec - aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 + replay-window 0 + sel src 192.1.2.23/32 dst 192.1.2.45/32 XFRM policy: -src 192.0.1.0/24 dst 192.0.2.0/24 - dir out priority 1042407 ptype main - tmpl src 192.1.2.45 dst 192.1.2.23 - proto esp reqid REQID mode tunnel -src 192.0.2.0/24 dst 192.0.1.0/24 - dir fwd priority 1042407 ptype main - tmpl src 192.1.2.23 dst 192.1.2.45 - proto esp reqid REQID mode tunnel -src 192.0.2.0/24 dst 192.0.1.0/24 - dir in priority 1042407 ptype main - tmpl src 192.1.2.23 dst 192.1.2.45 - proto esp reqid REQID mode tunnel XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 -192.0.2.0/24 dev eth1 scope link src 192.0.1.254 +192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes