/testing/guestbin/swan-prep --x509 Preparing X.509 files west # # delete the CA, both ends hardcode both certificates west # certutil -D -n "Libreswan test CA for mainca - Libreswan" -d sql:/etc/ipsec.d certutil: could not find certificate named "Libreswan test CA for mainca - Libreswan": SEC_ERROR_... west # certutil -D -n "east-ec" -d sql:/etc/ipsec.d certutil: could not find certificate named "east-ec": SEC_ERROR_... west # # confirm that the network is alive west # ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 destination -I 192.0.1.254 192.0.2.254 is alive west # # ensure that clear text does not get through west # iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP west # iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT west # # confirm clear text does not get through west # ../../pluto/bin/ping-once.sh --down -I 192.0.1.254 192.0.2.254 down west # ipsec start Redirecting to: [initsystem] west # /testing/pluto/bin/wait-until-pluto-started west # ipsec auto --add westnet-eastnet-ikev2 002 added IKEv2 connection "westnet-eastnet-ikev2" west # ipsec auto --status | grep westnet-eastnet-ikev2 000 "westnet-eastnet-ikev2": 192.0.1.0/24===192.1.2.45<192.1.2.45>...192.1.2.23<192.1.2.23>===192.0.2.0/24; unrouted; eroute owner: #0 000 "westnet-eastnet-ikev2": oriented; my_ip=unset; their_ip=unset; mycert=west; peercert=east; my_updown=ipsec _updown; 000 "westnet-eastnet-ikev2": xauth us:none, xauth them:none, my_username=[any]; their_username=[any] 000 "westnet-eastnet-ikev2": our auth:rsasig, their auth:rsasig 000 "westnet-eastnet-ikev2": modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, banner:unset, cat:unset; 000 "westnet-eastnet-ikev2": policy_label:unset; 000 "westnet-eastnet-ikev2": CAs: 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org'...'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org' 000 "westnet-eastnet-ikev2": ike_life: 3600s; ipsec_life: 28800s; replay_window: 32; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "westnet-eastnet-ikev2": retransmit-interval: 9999ms; retransmit-timeout: 99s; iketcp:no; iketcp-port:4500; 000 "westnet-eastnet-ikev2": initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no; 000 "westnet-eastnet-ikev2": policy: RSASIG+ECDSA+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+IKE_FRAG_ALLOW+ESN_NO+RSASIG_v1_5; 000 "westnet-eastnet-ikev2": v2-auth-hash-policy: SHA2_256+SHA2_384+SHA2_512; 000 "westnet-eastnet-ikev2": conn_prio: 24,24; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none; 000 "westnet-eastnet-ikev2": nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:auto; 000 "westnet-eastnet-ikev2": our idtype: ID_IPV4_ADDR; our id=192.1.2.45; their idtype: ID_IPV4_ADDR; their id=192.1.2.23 000 "westnet-eastnet-ikev2": dpd: action:hold; delay:0; timeout:0; nat-t: encaps:auto; nat_keepalive:yes; ikev1_natt:both 000 "westnet-eastnet-ikev2": newest ISAKMP SA: #0; newest IPsec SA: #0; conn serial: $1; west # echo "initdone" initdone west # ipsec auto --up westnet-eastnet-ikev2 1v2 "westnet-eastnet-ikev2" #1: initiating IKEv2 connection 1v2 "westnet-eastnet-ikev2" #1: sent IKE_SA_INIT request 1v2 "westnet-eastnet-ikev2" #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} 002 "westnet-eastnet-ikev2" #1: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA 003 "westnet-eastnet-ikev2" #1: authenticated using RSA with SHA2_512 002 "westnet-eastnet-ikev2" #2: negotiated connection [192.0.1.0-192.0.1.255:0-65535 0] -> [192.0.2.0-192.0.2.255:0-65535 0] 004 "westnet-eastnet-ikev2" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} west # ping -n -c 2 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. 64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms --- 192.0.2.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms west # ipsec whack --trafficstatus 006 #2: "westnet-eastnet-ikev2", type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='192.1.2.23' west # echo done done west # ../../pluto/bin/ipsec-look.sh west NOW XFRM state: src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 32 flag af-unspec aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 src 192.1.2.45 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 32 flag af-unspec aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 XFRM policy: src 192.0.1.0/24 dst 192.0.2.0/24 dir out priority 2084814 ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto esp reqid REQID mode tunnel src 192.0.2.0/24 dst 192.0.1.0/24 dir fwd priority 2084814 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid REQID mode tunnel src 192.0.2.0/24 dst 192.0.1.0/24 dir in priority 2084814 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid REQID mode tunnel XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Libreswan test CA for mainca - Libreswan CT,, east P,, east-ec P,, hashsha1 P,, nic P,, north P,, road P,, west u,u,u west # ../bin/check-for-core.sh west # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi west #