/testing/guestbin/swan-prep --hostkeys
Creating NSS database containing host keys
west #
 # confirm that the network is alive
west #
 ../../guestbin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm clear text does not get through
west #
 ../../guestbin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add netkey
"netkey": added IKEv2 connection
west #
 ipsec auto --status | grep DECAP_DSCP
"netkey":   policy: IKEv2+RSASIG+ECDSA+RSASIG_v1_5+ENCRYPT+TUNNEL+PFS+DECAP_DSCP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
west #
 ipsec whack --impair suppress_retransmits
west #
 echo "initdone"
initdone
west #
 ipsec auto --up netkey
"netkey" #1: initiating IKEv2 connection to 192.1.2.23 using UDP
"netkey" #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"netkey" #1: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}, initiating IKE_AUTH
"netkey" #1: sent IKE_AUTH request to 192.1.2.23:UDP/500
"netkey" #1: initiator established IKE SA; authenticated peer using preloaded certificate '@east' and 2nnn-bit RSASSA-PSS with SHA2_512 digital signature
"netkey" #2: initiator established Child SA using #1; IPsec tunnel [192.0.1.0/24===192.0.2.0/24] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE DPD=passive}
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 ipsec whack --trafficstatus
#2: "netkey", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='@east'
west #
 ip xfrm state |grep dscp
	replay-window 0 flag decap-dscp af-unspec esn
	replay-window 0 flag decap-dscp af-unspec esn
west #
 echo done
done
west #
 
