/testing/guestbin/swan-prep road # ../../pluto/bin/wait-until-alive 192.0.2.254 destination 192.0.2.254 is alive road # iptables -A INPUT -i eth0 -s 192.0.2.254 -p icmp -j DROP road # iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT road # ../../pluto/bin/ping-once.sh --down 192.0.2.254 down road # ipsec start Redirecting to: [initsystem] road # /testing/pluto/bin/wait-until-pluto-started road # ip route get to 192.1.2.23 192.1.2.23 via 192.1.3.254 dev eth0 src 192.1.3.209 uid 0 cache road # # this test need --verbose to see source address selection road # ipsec auto --add --verbose road opening file: /etc/ipsec.conf debugging mode enabled end of file /etc/ipsec.conf Loading conn road while loading conn 'road' also including 'rw-eastnet' starter: left is KH_DEFAULTROUTE Loading conn east while loading conn 'east' also including 'rw-eastnet' connection's leftaddresspool set to: 192.0.3.1-192.0.3.200 Loading conn rw-eastnet starter: left is KH_NOTSET loading named conns: road seeking_src = 1, seeking_gateway = 1, has_peer = 1 seeking_src = 0, seeking_gateway = 1, has_dst = 1 dst via 192.1.3.254 dev eth0 src table 254 set nexthop: 192.1.3.254 dst 192.1.3.0 via dev eth0 src 192.1.3.209 table 254 dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored) dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored) dst 127.0.0.1 via dev lo src 127.0.0.1 table 255 (ignored) dst 127.255.255.255 via dev lo src 127.0.0.1 table 255 (ignored) dst 192.1.3.0 via dev eth0 src 192.1.3.209 table 255 (ignored) dst 192.1.3.209 via dev eth0 src 192.1.3.209 table 255 (ignored) dst 192.1.3.255 via dev eth0 src 192.1.3.209 table 255 (ignored) seeking_src = 1, seeking_gateway = 0, has_peer = 1 seeking_src = 1, seeking_gateway = 0, has_dst = 1 dst 192.1.3.254 via dev eth0 src 192.1.3.209 table 254 set addr: 192.1.3.209 seeking_src = 0, seeking_gateway = 0, has_peer = 1 conn: "road" modecfgdns= conn: "road" modecfgdomains= conn: "road" modecfgbanner= conn: "road" mark= conn: "road" mark-in= conn: "road" mark-out= conn: "road" vti_iface= conn: "road" redirect-to= conn: "road" accept-redirect-to= conn: "road" esp= conn: "road" ike= 002 added IKEv2 connection "road" road # echo "initdone" initdone road # ipsec auto --up road 1v2 "road"[1] 192.1.2.23 #1: initiating IKEv2 connection 1v2 "road"[1] 192.1.2.23 #1: sent IKE_SA_INIT request 1v2 "road"[1] 192.1.2.23 #1: sent IKE_AUTH request {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048} 002 "road"[1] 192.1.2.23 #2: IKEv2 mode peer ID is ID_FQDN: '@east' 003 "road"[1] 192.1.2.23 #1: authenticated using authby=secret 002 "road"[1] 192.1.2.23 #2: received INTERNAL_IP4_ADDRESS 192.0.3.1 002 "road"[1] 192.1.2.23 #2: negotiated connection [192.0.3.1-192.0.3.1:0-65535 0] -> [0.0.0.0-255.255.255.255:0-65535 0] 004 "road"[1] 192.1.2.23 #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive} road # ping6 -c 2 -w 4 192.0.2.254 ping6: 192.0.2.254: Address family for hostname not supported road # ipsec trafficstatus 006 #2: "road"[1] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=0, id='@east', lease=192.0.3.1/32 road # ../../pluto/bin/ip-addr-show.sh eth0 inet 192.1.3.209/24 lo inet 192.0.3.1/32 road # ip -6 route road # ip route get to 192.1.2.23 192.1.2.23 via 192.1.3.254 dev eth0 src 192.0.3.1 uid 0 cache road # # road # # addconn need a non existing --ctlsocket road # # otherwise this add bring the connection down. road # # road # # see the source address selection when the tunnel is established road # ipsec auto --add --verbose --ctlsocket /run/pluto/foo road opening file: /etc/ipsec.conf debugging mode enabled end of file /etc/ipsec.conf Loading conn road while loading conn 'road' also including 'rw-eastnet' starter: left is KH_DEFAULTROUTE Loading conn east while loading conn 'east' also including 'rw-eastnet' connection's leftaddresspool set to: 192.0.3.1-192.0.3.200 Loading conn rw-eastnet starter: left is KH_NOTSET loading named conns: road seeking_src = 1, seeking_gateway = 1, has_peer = 1 seeking_src = 0, seeking_gateway = 1, has_dst = 1 dst 0.0.0.0 via 192.1.3.254 dev eth0 src 192.0.3.1 table 254 dst via 192.1.3.254 dev eth0 src table 254 set nexthop: 192.1.3.254 dst 128.0.0.0 via 192.1.3.254 dev eth0 src 192.0.3.1 table 254 dst 192.1.3.0 via dev eth0 src 192.1.3.209 table 254 dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored) dst 127.0.0.0 via dev lo src 127.0.0.1 table 255 (ignored) dst 127.0.0.1 via dev lo src 127.0.0.1 table 255 (ignored) dst 127.255.255.255 via dev lo src 127.0.0.1 table 255 (ignored) dst 192.0.3.1 via dev lo src 192.0.3.1 table 255 (ignored) dst 192.1.3.0 via dev eth0 src 192.1.3.209 table 255 (ignored) dst 192.1.3.209 via dev eth0 src 192.1.3.209 table 255 (ignored) dst 192.1.3.255 via dev eth0 src 192.1.3.209 table 255 (ignored) seeking_src = 1, seeking_gateway = 0, has_peer = 1 seeking_src = 1, seeking_gateway = 0, has_dst = 1 dst 192.1.3.254 via dev eth0 src 192.1.3.209 table 254 set addr: 192.1.3.209 seeking_src = 0, seeking_gateway = 0, has_peer = 1 conn: "road" modecfgdns= conn: "road" modecfgdomains= conn: "road" modecfgbanner= conn: "road" mark= conn: "road" mark-in= conn: "road" mark-out= conn: "road" vti_iface= conn: "road" redirect-to= conn: "road" accept-redirect-to= conn: "road" esp= conn: "road" ike= connect(pluto_ctl) failed: No such file or directory road # echo done done road # if [ -f /var/run/pluto/pluto.pid ]; then ../../pluto/bin/ipsec-look.sh ; fi road NOW XFRM state: src 192.1.2.23 dst 192.1.3.209 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 32 flag af-unspec aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 src 192.1.3.209 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 32 flag af-unspec aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128 XFRM policy: src 0.0.0.0/0 dst 192.0.3.1/32 dir fwd priority 2080767 ptype main tmpl src 192.1.2.23 dst 192.1.3.209 proto esp reqid REQID mode tunnel src 0.0.0.0/0 dst 192.0.3.1/32 dir in priority 2080767 ptype main tmpl src 192.1.2.23 dst 192.1.3.209 proto esp reqid REQID mode tunnel src 192.0.3.1/32 dst 0.0.0.0/0 dir out priority 2080767 ptype main tmpl src 192.1.3.209 dst 192.1.2.23 proto esp reqid REQID mode tunnel XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES 0.0.0.0/1 via 192.1.3.254 dev eth0 src 192.0.3.1 default via 192.1.3.254 dev eth0 128.0.0.0/1 via 192.1.3.254 dev eth0 src 192.0.3.1 192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI road # if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then strongswan status ; fi road # ../bin/check-for-core.sh road # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi road #