/testing/guestbin/swan-prep
west #
 # confirm that the network is alive
west #
 ../../guestbin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm clear text does not get through
west #
 ../../guestbin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add westnet-eastnet-nflog
002 "westnet-eastnet-nflog": added IKEv1 connection
west #
 ipsec auto --add west-east-nflog
002 "west-east-nflog": added IKEv1 connection
west #
 echo "initdone"
initdone
west #
 iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
DROP       all  --  192.0.2.0/24         0.0.0.0/0           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
west #
 ipsec auto --up westnet-eastnet-nflog
002 "westnet-eastnet-nflog" #1: initiating IKEv1 Main Mode connection
1v1 "westnet-eastnet-nflog" #1: sent Main Mode request
1v1 "westnet-eastnet-nflog" #1: sent Main Mode I2
1v1 "westnet-eastnet-nflog" #1: sent Main Mode I3
002 "westnet-eastnet-nflog" #1: Peer ID is ID_FQDN: '@east'
003 "westnet-eastnet-nflog" #1: authenticated peer '2nnn-bit RSA with SHA1' signature using preloaded certificate '@east'
004 "westnet-eastnet-nflog" #1: IKE SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "westnet-eastnet-nflog" #2: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES
1v1 "westnet-eastnet-nflog" #2: sent Quick Mode request
004 "westnet-eastnet-nflog" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 DPD=passive}
west #
 iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NFLOG      all  --  192.0.2.0/24         192.0.1.0/24         policy match dir in pol ipsec nflog-prefix  westnet-eastnet-nflog nflog-group 13
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
DROP       all  --  192.0.2.0/24         0.0.0.0/0           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
NFLOG      all  --  192.0.1.0/24         192.0.2.0/24         policy match dir out pol ipsec nflog-prefix  westnet-eastnet-nflog nflog-group 13
west #
 ipsec auto --up west-east-nflog
002 "west-east-nflog" #3: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES
1v1 "west-east-nflog" #3: sent Quick Mode request
004 "west-east-nflog" #3: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 DPD=passive}
west #
 iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NFLOG      all  --  192.1.2.23           192.1.2.45           policy match dir in pol ipsec nflog-prefix  west-east-nflog nflog-group 50
NFLOG      all  --  192.0.2.0/24         192.0.1.0/24         policy match dir in pol ipsec nflog-prefix  westnet-eastnet-nflog nflog-group 13
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
DROP       all  --  192.0.2.0/24         0.0.0.0/0           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
NFLOG      all  --  192.1.2.45           192.1.2.23           policy match dir out pol ipsec nflog-prefix  west-east-nflog nflog-group 50
NFLOG      all  --  192.0.1.0/24         192.0.2.0/24         policy match dir out pol ipsec nflog-prefix  westnet-eastnet-nflog nflog-group 13
west #
 # suppress job monitoring; specify packet count
west #
 rm -f /tmp/nflog-50.pcap /tmp/tcpdump.log
west #
 set +m
west #
 tcpdump -c 4 -s 0 -w /tmp/nflog-50.pcap -i nflog:50 > /tmp/tcpdump.log 2>&1 &
[B] PID
west #
 ../../guestbin/wait-for.sh --match 'listening on' -- cat /tmp/tcpdump.log
tcpdump: listening on INTERFACE DETAILS
west #
 ../../guestbin/ping-once.sh --up -I 192.1.2.45 192.1.2.23
up
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 ../../guestbin/ping-once.sh --up -I 192.1.2.45 192.1.2.23
up
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 ipsec auto --down westnet-eastnet-nflog
002 "westnet-eastnet-nflog": terminating SAs using this connection
002 "westnet-eastnet-nflog": IKE SA is shared - only terminating IPsec SA
002 "westnet-eastnet-nflog" #2: deleting state (STATE_QUICK_I2) and sending notification
005 "westnet-eastnet-nflog" #2: ESP traffic information: in=168B out=168B
west #
 iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NFLOG      all  --  192.1.2.23           192.1.2.45           policy match dir in pol ipsec nflog-prefix  west-east-nflog nflog-group 50
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
DROP       all  --  192.0.2.0/24         0.0.0.0/0           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
NFLOG      all  --  192.1.2.45           192.1.2.23           policy match dir out pol ipsec nflog-prefix  west-east-nflog nflog-group 50
west #
 ipsec auto --down west-east-nflog
002 "west-east-nflog": terminating SAs using this connection
002 "west-east-nflog" #3: deleting state (STATE_QUICK_I2) and sending notification
005 "west-east-nflog" #3: ESP traffic information: in=168B out=168B
west #
 iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
DROP       all  --  192.0.2.0/24         0.0.0.0/0           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
west #
 # wait for count to reach tcpdump then dump it
west #
 wait
west #
 cp  /tmp/nflog-50.pcap OUTPUT/nflog-50.pcap
west #
 tcpdump -n -r OUTPUT/nflog-50.pcap 2>/dev/null
IP 192.1.2.45 > 192.1.2.23: ICMP echo request, id XXXX, seq 1, length 64
IP 192.1.2.23 > 192.1.2.45: ICMP echo reply, id XXXX, seq 1, length 64
IP 192.1.2.45 > 192.1.2.23: ICMP echo request, id XXXX, seq 1, length 64
IP 192.1.2.23 > 192.1.2.45: ICMP echo reply, id XXXX, seq 1, length 64
west #
 echo done
done
west #
 ../../guestbin/ipsec-look.sh
west NOW
XFRM state:
XFRM policy:
src 192.1.2.45/32 dst 192.1.2.23/32
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.0.1.0/24 dst 192.0.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
DROP       all  --  192.0.2.0/24         0.0.0.0/0           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west #
 ipsec stop
Redirecting to: [initsystem]
west #
 # show no nflog left behind
west #
 iptables -L -n
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            policy match dir in pol ipsec
DROP       all  --  192.0.2.0/24         0.0.0.0/0           
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
west #
 
