/testing/guestbin/swan-prep --x509
Preparing X.509 files
road #
 certutil -D -n east -d sql:/etc/ipsec.d
road #
 cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf
road #
 cp policies/* /etc/ipsec.d/policies/
road #
 echo "192.1.2.0/24"  >> /etc/ipsec.d/policies/private-or-clear
road #
 ipsec start
Redirecting to: [initsystem]
road #
 ../../guestbin/wait-until-pluto-started
road #
 # give OE policies time to load
road #
 ../../guestbin/wait-for.sh --match 'loaded 11,' -- ipsec auto --status
000 Total IPsec connections: loaded 11, active 0
road #
 echo "initdone"
initdone
road #
 # wait on OE to install %pass due to east not running ipsec
road #
 # should show no tunnels and a bare shunt
road #
 ../../guestbin/ping-once.sh --forget -I 192.1.3.209 192.1.2.23
fired and forgotten
road #
 ../../guestbin/wait-for.sh --timeout 60 --match oe-failing -- ipsec shuntstatus
000 192.1.3.209/32 -0-> 192.1.2.23/32 => %pass 0    oe-failing
road #
 ipsec trafficstatus
road #
 # verify xfrm policy got added for %pass
road #
 ../../guestbin/ipsec-look.sh
road NOW
XFRM state:
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0x00000000 reqid 0 mode transport
	replay-window 0 
	sel src 192.1.3.209/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth0 
XFRM policy:
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority PRIORITY ptype main
src 192.1.2.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
Libreswan test CA for mainca - Libreswan                     CT,, 
east-ec                                                      P,,  
hashsha1                                                     P,,  
nic                                                          P,,  
north                                                        P,,  
road                                                         u,u,u
west                                                         P,,  
west-ec                                                      P,,  
road #
 echo "waiting on east to start ipsec and OE initiate to us"
waiting on east to start ipsec and OE initiate to us
road #
 # OE has been triggered.
road #
 # there should be no %pass shunts on either side and an active tunnel and no partial IKE states
road #
 ipsec showstates
000 #2: "private-or-clear#192.1.2.0/24"[2] ...192.1.2.23:500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in XXs; REPLACE in XXs; newest; idle;
000 #3: "private-or-clear#192.1.2.0/24"[2] ...192.1.2.23:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in XXs; REPLACE in XXs; newest; eroute owner; IKE SA #2; idle;
000 #3: "private-or-clear#192.1.2.0/24"[2] ...192.1.2.23 esp.ESPSPIi@192.1.2.23 esp.ESPSPIi@192.1.3.209 tun.0@192.1.2.23 tun.0@192.1.3.209 Traffic: ESPin=252B ESPout=252B ESPmax=2^63B 
road #
 ipsec trafficstatus
006 #3: "private-or-clear#192.1.2.0/24"[2] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=252, outBytes=252, maxBytes=2^63B, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
road #
 ipsec shuntstatus
000 Bare Shunt list:
000  
road #
 ../../guestbin/ipsec-look.sh
road NOW
XFRM state:
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0x00000000 reqid 0 mode transport
	replay-window 0 
	sel src 192.1.3.209/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth0 
XFRM policy:
src 192.1.2.23/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority PRIORITY ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
Libreswan test CA for mainca - Libreswan                     CT,, 
east-ec                                                      P,,  
hashsha1                                                     P,,  
nic                                                          P,,  
north                                                        P,,  
road                                                         u,u,u
west                                                         P,,  
west-ec                                                      P,,  
road #
 # letting 60s shunt expire
road #
 ../../guestbin/wait-for.sh --timeout 60 --no-match ' spi 0x00000000 ' -- ip xfrm state
road #
 # we should have 1 or 2 tunnels, no shunts
road #
 ipsec trafficstatus
006 #3: "private-or-clear#192.1.2.0/24"[2] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=252, outBytes=252, maxBytes=2^63B, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
road #
 ipsec shuntstatus
000 Bare Shunt list:
000  
road #
 # we should see one of each in/fwd/out (confirming %pass shunt delete didn't take out dir out tunnel policy
road #
 ip xfrm policy
src 192.1.3.209/32 dst 192.1.2.23/32 
	dir out priority PRIORITY ptype main 
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32 
	dir fwd priority PRIORITY ptype main 
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32 
	dir in priority PRIORITY ptype main 
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.0/24 
	dir out priority PRIORITY ptype main 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.2.253/32 dst 192.1.3.209/32 
	dir fwd priority PRIORITY ptype main 
src 192.1.2.253/32 dst 192.1.3.209/32 
	dir in priority PRIORITY ptype main 
src 192.1.3.209/32 dst 192.1.2.253/32 
	dir out priority PRIORITY ptype main 
src 192.1.3.253/32 dst 192.1.3.209/32 
	dir fwd priority PRIORITY ptype main 
src 192.1.3.253/32 dst 192.1.3.209/32 
	dir in priority PRIORITY ptype main 
src 192.1.3.209/32 dst 192.1.3.253/32 
	dir out priority PRIORITY ptype main 
src 192.1.3.254/32 dst 192.1.3.209/32 
	dir fwd priority PRIORITY ptype main 
src 192.1.3.254/32 dst 192.1.3.209/32 
	dir in priority PRIORITY ptype main 
src 192.1.3.209/32 dst 192.1.3.254/32 
	dir out priority PRIORITY ptype main 
src 192.1.2.254/32 dst 192.1.3.209/32 
	dir fwd priority PRIORITY ptype main 
src 192.1.2.254/32 dst 192.1.3.209/32 
	dir in priority PRIORITY ptype main 
src 192.1.3.209/32 dst 192.1.2.254/32 
	dir out priority PRIORITY ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
road #
 # nic blocks cleartext, so confirm tunnel is working
road #
 ../../guestbin/ping-once.sh --up -I 192.1.3.209 192.1.2.23
up
road #
 ../../guestbin/ping-once.sh --up -I 192.1.3.209 192.1.2.23
up
road #
 ../../guestbin/ping-once.sh --up -I 192.1.3.209 192.1.2.23
up
road #
 ../../guestbin/ping-once.sh --up -I 192.1.3.209 192.1.2.23
up
road #
 ipsec trafficstatus
006 #3: "private-or-clear#192.1.2.0/24"[2] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=588, outBytes=588, maxBytes=2^63B, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'

