/testing/guestbin/swan-prep west # # confirm that the network is alive west # ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254 destination -I 192.0.1.254 192.0.2.254 is alive west # # ensure that clear text does not get through west # iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP west # iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT west # # confirm clear text does not get through west # ../../pluto/bin/ping-once.sh --down -I 192.0.1.254 192.0.2.254 down west # ipsec start Redirecting to: [initsystem] west # /testing/pluto/bin/wait-until-pluto-started west # ipsec whack --impair suppress-retransmits west # ipsec auto --add westnet-eastnet-ipcomp 002 "westnet-eastnet-ipcomp": added IKEv1 connection west # echo "initdone" initdone west # ipsec auto --up westnet-eastnet-ipcomp 002 "westnet-eastnet-ipcomp" #1: initiating IKEv1 Main Mode connection 1v1 "westnet-eastnet-ipcomp" #1: sent Main Mode request 1v1 "westnet-eastnet-ipcomp" #1: sent Main Mode I2 1v1 "westnet-eastnet-ipcomp" #1: sent Main Mode I3 002 "westnet-eastnet-ipcomp" #1: Peer ID is ID_FQDN: '@east' 003 "westnet-eastnet-ipcomp" #1: authenticated using RSA with SHA-1 004 "westnet-eastnet-ipcomp" #1: IKE SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} 002 "westnet-eastnet-ipcomp" #2: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO 1v1 "westnet-eastnet-ipcomp" #2: sent Quick Mode request 004 "westnet-eastnet-ipcomp" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 IPCOMP=>0xESPESP <0xESPESP NATOA=none NATD=none DPD=passive} west # ../../pluto/bin/ping-once.sh --up -I 192.0.1.254 192.0.2.254 up west # ipsec whack --trafficstatus 006 #2: "westnet-eastnet-ipcomp", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, id='@east' west # echo done done west # ../../pluto/bin/ipsec-look.sh west NOW XFRM state: src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xSPISPI reqid REQID mode transport replay-window 32 auth-trunc hmac(sha1) 0xHASHKEY 96 enc cbc(aes) 0xENCKEY sel src 0.0.0.0/0 dst 0.0.0.0/0 src 192.1.2.23 dst 192.1.2.45 proto comp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec comp deflate src 192.1.2.23 dst 192.1.2.45 proto 4 spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec src 192.1.2.45 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode transport replay-window 32 auth-trunc hmac(sha1) 0xHASHKEY 96 enc cbc(aes) 0xENCKEY sel src 0.0.0.0/0 dst 0.0.0.0/0 src 192.1.2.45 dst 192.1.2.23 proto comp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec comp deflate src 192.1.2.45 dst 192.1.2.23 proto 4 spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec XFRM policy: src 192.0.1.0/24 dst 192.0.2.0/24 dir out priority 2084814 ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto comp reqid REQID mode tunnel tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid REQID mode transport src 192.0.2.0/24 dst 192.0.1.0/24 dir fwd priority 2084814 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto comp reqid REQID mode tunnel level use tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid REQID mode transport src 192.0.2.0/24 dst 192.0.1.0/24 dir in priority 2084814 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto comp reqid REQID mode tunnel level use tmpl src 0.0.0.0 dst 0.0.0.0 proto esp reqid REQID mode transport XFRM done IPSEC mangle TABLES NEW_IPSEC_CONN mangle TABLES ROUTING TABLES default via 192.1.2.254 dev eth1 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI west # ../bin/check-for-core.sh west # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi west #