/testing/guestbin/swan-prep road # cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf road # cp policies/* /etc/ipsec.d/policies/ road # echo "192.1.2.0/24" >> /etc/ipsec.d/policies/private-or-clear road # ipsec start Redirecting to: [initsystem] road # /testing/pluto/bin/wait-until-pluto-started road # #ipsec whack --impair suppress-retransmits road # # ensure for tests acquires expire before our failureshunt=2m road # echo 30 > /proc/sys/net/core/xfrm_acq_expires road # # give OE policies time to load road # sleep 5 road # ipsec whack --listpubkeys 000 000 List of Public Keys: 000 road # # preloading two bad keys road # ipsec whack --keyid "192.1.2.23" --addkey --pubkeyrsa "0sAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" road # ipsec whack --keyid "192.1.2.23" --addkey --pubkeyrsa "0sAQBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB" road # ipsec whack --listpubkeys 000 000 List of Public Keys: 000 000 TIMESTAMP, 2192 RSA Key AQBBBBBBB (no private key), until --- -- --:--:-- ---- ok (expires never) 000 ID_IPV4_ADDR '192.1.2.23' 000 TIMESTAMP, 2192 RSA Key AQAAAAAAA (no private key), until --- -- --:--:-- ---- ok (expires never) 000 ID_IPV4_ADDR '192.1.2.23' road # echo "initdone" initdone road # # two preloaded keys are wrong and not used, dns lookup finds real key road # ipsec whack --oppohere 192.1.3.209 --oppothere 192.1.2.23 002 initiate on demand from 192.1.3.209:0 to 192.1.2.23:0 proto=0 because: whack 1v2 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: initiating IKEv2 connection 003 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: authenticated using RSA with SHA2_512 002 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: negotiated connection [192.1.3.209-192.1.3.209:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] road # ping -n -c 2 -I 192.1.3.209 192.1.2.23 PING 192.1.2.23 (192.1.2.23) from 192.1.3.209 : 56(84) bytes of data. 64 bytes from 192.1.2.23: icmp_seq=1 ttl=64 time=0.XXX ms 64 bytes from 192.1.2.23: icmp_seq=2 ttl=64 time=0.XXX ms --- 192.1.2.23 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms road # ipsec whack --trafficstatus 006 #2: "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='192.1.2.23' road # # this should show DNS query road # grep "DNS QUESTION" /tmp/pluto.log | DNS QUESTION 23.2.1.192.IN-ADDR.ARPA.\011IN\011IPSECKEY\012 road # # shows existing bad keys replaced with working new key (why is that?) road # ipsec whack --listpubkeys 000 000 List of Public Keys: 000 000 TIMESTAMP, 2192 RSA Key AQO9bJbr3 (no private key), until TIMESTAMP warning (expires in X days) 000 ID_IPV4_ADDR '192.1.2.23' road # echo done done road # # A tunnel should have established with non-zero byte counters road # ipsec whack --trafficstatus 006 #2: "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='192.1.2.23' road # grep "negotiated connection" /tmp/pluto.log "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: negotiated connection [192.1.3.209-192.1.3.209:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0] road # # you should see one RSA and on NULL only road # grep -e 'auth method: ' -e 'hash algorithm identifier' -e ': authenticated using ' /tmp/pluto.log | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_256 into IKEv2 Notify Payload | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_256: 00 02 | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_384 into IKEv2 Notify Payload | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_384: 00 03 | emitting 2 raw bytes of hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_512 into IKEv2 Notify Payload | hash algorithm identifier IKEv2_HASH_ALGORITHM_SHA2_512: 00 04 | parsing 2 raw bytes of IKEv2 Notify Payload into hash algorithm identifier (network ordered) | hash algorithm identifier (network ordered) | parsing 2 raw bytes of IKEv2 Notify Payload into hash algorithm identifier (network ordered) | hash algorithm identifier (network ordered) | parsing 2 raw bytes of IKEv2 Notify Payload into hash algorithm identifier (network ordered) | hash algorithm identifier (network ordered) | auth method: IKEv2_AUTH_NULL (0xd) | auth method: IKEv2_AUTH_DIGSIG (0xe) "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: authenticated using RSA with SHA2_512 road # ../bin/check-for-core.sh road # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi