/testing/guestbin/swan-prep --hostkeys
Creating NSS database containing host keys
road #
 echo 3 > /proc/sys/net/core/xfrm_acq_expires
road #
 # install selinux; generated in OUTPUT by east
road #
 semodule -i OUTPUT/ipsecspd.pp
road #
 ipsec start
Redirecting to: [initsystem]
road #
 ../../guestbin/wait-until-pluto-started
road #
 ipsec auto --add labeled
"labeled": added IKEv2 connection
road #
 echo "initdone"
initdone
road #
 # for port re-use in tests with protoport selectors
road #
 echo 1 >/proc/sys/net/ipv4/tcp_tw_reuse
road #
 # route; should be two policies
road #
 ipsec auto --route labeled
road #
 ../../guestbin/ipsec-kernel-state.sh
road #
 ../../guestbin/ipsec-kernel-policy.sh
src 192.0.2.0/24 dst 192.0.2.219/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.2.219/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.2.219/32 dst 192.0.2.0/24
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority PRIORITY ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
road #
 # trigger traffic
road #
 echo "quit" | runcon -t netutils_t timeout 15 nc  -p 4301 -vv 192.0.2.254 4300 2>&1 | sed -e 's/received in .*$/received .../' -e 's/Version .*/Version .../'
Ncat: Version ...
NCAT DEBUG: Using system default trusted CA certificates and those in PATH/share/ncat/ca-bundle.crt.
NCAT DEBUG: Unable to load trusted CA certificates from PATH/share/ncat/ca-bundle.crt: error:80000002:system library::No such file or directory
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock nsock_connect_tcp(): TCP connection requested to 192.0.2.254:4300 (IOD #1) EID 8
libnsock mksock_bind_addr(): Binding to 0.0.0.0:4301 (IOD #1)
libnsock nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.0.2.254:4300]
Ncat: Connected to 192.0.2.254:4300.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #2)
libnsock nsock_read(): Read request from IOD #1 [192.0.2.254:4300] (timeout: -1ms) EID 18
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 26
libnsock nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [peer unspecified] (5 bytes): quit.
libnsock nsock_write(): Write request for 5 bytes to IOD #1 EID 35 [192.0.2.254:4300]
libnsock nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [192.0.2.254:4300]
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 42
libnsock nsock_trace_handler_callback(): Callback: READ EOF for EID 42 [peer unspecified]
libnsock nsock_trace_handler_callback(): Callback: READ EOF for EID 18 [192.0.2.254:4300]
Ncat: 5 bytes sent, 0 bytes received ...
libnsock nsock_iod_delete(): nsock_iod_delete (IOD #1)
libnsock nsock_iod_delete(): nsock_iod_delete (IOD #2)
road #
 # there should be 2 tunnels - both inactive in one direction
road #
 ipsec trafficstatus | sed -e 's/=[1-9][0-9]*,/=<NNN>,/g'
#2: "labeled"[1][1] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=<NNN>, maxBytes=2^63B, id='@east'
#3: "labeled"[1][2] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=<NNN>, outBytes=0, maxBytes=2^63B, id='@east'
road #
 # there should be no bare shunts
road #
 ipsec shuntstatus
Bare Shunt list:
 
road #
 # let larval state expire
road #
 ../../guestbin/wait-for.sh --no-match ' spi 0x00000000 ' -- ../../guestbin/ipsec-kernel-state.sh
road #
 echo done
done
road #
 : sync console - east has output from _getpeercon_server waiting
road #
 # There should be FOUR IPsec SA states (two sets), all with same
road #
 # reqid. And there should be one set of tunnel policies using the
road #
 # configured ipsec_spd_t label, and no outgoing %trap policy
road #
 ../../guestbin/ipsec-kernel-state.sh
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 
road #
 ../../guestbin/ipsec-kernel-policy.sh
src 192.0.2.0/24 dst 192.0.2.219/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.2.219/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.2.219/32 dst 192.0.2.0/24
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority PRIORITY ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
road #
 # The IKE SA should be associated with the template connection
road #
 ipsec showstates | sed -e 's/=[1-9][0-9]*B/=<NNN>B/g'
#1: "labeled"[1] 192.1.2.23:500 ESTABLISHED_IKE_SA (established IKE SA); REKEY in XXs; REPLACE in XXs; newest; idle;
#2: "labeled"[1][1] 192.1.2.23:500 ESTABLISHED_CHILD_SA (established Child SA); REKEY in XXs; REPLACE in XXs; newest; eroute owner; IKE SA #1; idle;
#2: "labeled"[1][1] 192.1.2.23 esp.ESPSPIi@192.1.2.23 esp.ESPSPIi@192.1.3.209 tun.0@192.1.2.23 tun.0@192.1.3.209 Traffic: ESPin=0B ESPout=<NNN>B ESPmax=2^63B 
#3: "labeled"[1][2] 192.1.2.23:500 ESTABLISHED_CHILD_SA (established Child SA); REKEY in XXs; REPLACE in XXs; newest; eroute owner; IKE SA #1; idle;
#3: "labeled"[1][2] 192.1.2.23 esp.ESPSPIi@192.1.2.23 esp.ESPSPIi@192.1.3.209 tun.0@192.1.2.23 tun.0@192.1.3.209 Traffic: ESPin=<NNN>B ESPout=0B ESPmax=2^63B 
road #
 
