/testing/guestbin/swan-prep road # echo "192.0.2.252/30" >> /etc/ipsec.d/policies/clear road # echo "192.1.3.252/30" >> /etc/ipsec.d/policies/clear road # ifdown eth0 Error: NetworkManager is not running. road # sed -i '/IPV6/d' /etc/sysconfig/network-scripts/ifcfg-eth0 road # sed -i '/IPADDR/d' /etc/sysconfig/network-scripts/ifcfg-eth0 road # sed -i '/GATEWAY/d' /etc/sysconfig/network-scripts/ifcfg-eth0 road # echo "IPADDR=192.1.3.209" >> /etc/sysconfig/network-scripts/ifcfg-eth0 road # echo "GATEWAY=192.1.3.254" >> /etc/sysconfig/network-scripts/ifcfg-eth0 road # ifup eth0 Error: NetworkManager is not running. road # ipsec start Redirecting to: [initsystem] road # /testing/pluto/bin/wait-until-pluto-started road # ipsec auto --add road-eastnet 002 added connection description "road-eastnet" road # echo "initdone" initdone road # ipsec auto --up road-eastnet 002 "road-eastnet"[1] 192.1.2.23 #1: initiating v2 parent SA 1v2 "road-eastnet"[1] 192.1.2.23 #1: initiate 1v2 "road-eastnet"[1] 192.1.2.23 #1: STATE_PARENT_I1: sent v2I1, expected v2R1 1v2 "road-eastnet"[1] 192.1.2.23 #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} 003 "road-eastnet"[1] 192.1.2.23 #2: Authenticated using authby=secret 002 "road-eastnet"[1] 192.1.2.23 #2: received INTERNAL_IP4_ADDRESS 192.0.3.10 002 "road-eastnet"[1] 192.1.2.23 #2: negotiated connection [192.0.3.10-192.0.3.10:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0] 004 "road-eastnet"[1] 192.1.2.23 #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP/NAT=>0xESPESP <0xESPESP xfrm=AES_CBC_256-HMAC_SHA2_256_128 NATOA=none NATD=192.1.2.23:4500 DPD=passive} road # ping -W 1 -q -n -c 2 192.1.2.23 PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data. --- 192.1.2.23 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms road # ipsec whack --trafficstatus 006 #2: "road-eastnet"[1] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='192.1.2.23', lease=192.0.3.10/32 road # # note this end should be 192.1.3.209 road # ip xfrm state src 192.1.2.23 dst 192.1.3.209 proto esp spi 0xSPISPI reqid REQID mode tunnel enc cbc(aes) 0xENCKEY src 192.1.3.209 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel enc cbc(aes) 0xENCKEY road # sleep 5 road # # remove this end ip next one will take over road # ip addr show scope global dev eth0 | grep -v valid_lft 11014: eth0@if11015: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fa:e5:33:e3:ae:00 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.1.3.209/24 scope global eth0 road # # delete the routes down to simulate WiFi link down. road # ip route del default road # ip route del 192.1.33.0/24 RTNETLINK answers: No such process road # ifdown eth0 Error: NetworkManager is not running. road # sed -i '/IPADDR/d' /etc/sysconfig/network-scripts/ifcfg-eth0 road # sed -i '/GATEWAY/d' /etc/sysconfig/network-scripts/ifcfg-eth0 road # echo "IPADDR=192.1.33.222" >> /etc/sysconfig/network-scripts/ifcfg-eth0 road # echo "GATEWAY=192.1.33.254" >> /etc/sysconfig/network-scripts/ifcfg-eth0 road # sleep 2 road # # the client is still on the dev lo. road # # would the traffic leak in plain road # ip addr show dev lo 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet 192.0.3.10/32 scope 50 lo valid_lft forever preferred_lft forever road # # let libreswan detect change and initiate MOBIKE update road # ifup eth0 Error: NetworkManager is not running. road # # restore config files while we wait road # sed -i '/IPADDR/d' /etc/sysconfig/network-scripts/ifcfg-eth0 road # sed -i '/GATEWAY/d' /etc/sysconfig/network-scripts/ifcfg-eth0 road # echo "IPADDR=192.1.3.209" >> /etc/sysconfig/network-scripts/ifcfg-eth0 road # echo "GATEWAY=192.1.3.254" >> /etc/sysconfig/network-scripts/ifcfg-eth0 road # sleep 10 road # # ip addr show scope global dev eth0 | grep -v -E '(valid_lft|ether|noqueue)' road # ip addr show scope global dev eth0 | grep -v valid_lft 11014: eth0@if11015: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fa:e5:33:e3:ae:00 brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet 192.1.3.209/24 scope global eth0 road # # MOBIKE ping should work road # ping -W 8 -q -n -c 8 192.1.2.23 PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data. --- 192.1.2.23 ping statistics --- 8 packets transmitted, 8 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms road # # "ip xfrm" output this end should be 192.1.33.222 road # echo done done road # ip xfrm state src 192.1.2.23 dst 192.1.3.209 proto esp spi 0xSPISPI reqid REQID mode tunnel enc cbc(aes) 0xENCKEY src 192.1.3.209 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel enc cbc(aes) 0xENCKEY road # ipsec whack --trafficstatus 006 #2: "road-eastnet"[1] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=840, outBytes=840, id='192.1.2.23', lease=192.0.3.10/32 road # road # ../bin/check-for-core.sh road # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi