/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 # confirm that the network is alive
west #
 ../../guestbin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm clear text does not get through
west #
 ../../guestbin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add westnet-eastnet-ikev1
ipsec addconn: /etc/ipsec.conf:38: warning: obsolete keyword ignored: dpdaction=clear
"westnet-eastnet-ikev1": added IKEv1 connection
west #
 echo "initdone"
initdone
west #
 ipsec auto --up westnet-eastnet-ikev1
"westnet-eastnet-ikev1" #1: initiating IKEv1 Main Mode connection
"westnet-eastnet-ikev1" #1: sent Main Mode request
"westnet-eastnet-ikev1" #1: sent Main Mode I2
"westnet-eastnet-ikev1" #1: sent Main Mode I3
"westnet-eastnet-ikev1" #1: Peer ID is ID_FQDN: '@east'
"westnet-eastnet-ikev1" #1: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA1 group=MODP2048}
"westnet-eastnet-ikev1" #1: XAUTH: Answering XAUTH challenge with user='use3'
"westnet-eastnet-ikev1" #1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA1 group=MODP2048}
"westnet-eastnet-ikev1" #1: XAUTH: Successfully Authenticated
"westnet-eastnet-ikev1" #1: XAUTH client - possibly awaiting CFG_set {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA1 group=MODP2048}
"westnet-eastnet-ikev1" #1: modecfg: Sending IP request (MODECFG_I1)
"westnet-eastnet-ikev1" #1: Received IPv4 address: 192.0.1.254/32
"westnet-eastnet-ikev1" #1: ISAKMP SA established {auth=PRESHARED_KEY cipher=AES_CBC_128 integ=HMAC_SHA1 group=MODP2048}
"westnet-eastnet-ikev1" #2: initiating Quick Mode IKEv1+PSK+ENCRYPT+TUNNEL+PFS+UP+XAUTH+MODECFG_PULL+IKE_FRAG_ALLOW+ESN_NO+ESN_YES
"westnet-eastnet-ikev1" #2: sent Quick Mode request
"westnet-eastnet-ikev1" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 DPD=active username=use3}
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 # wait for a few DPDs
west #
 sleep 11
west #
 grep "R_U_THERE_ACK, seqno received" /tmp/pluto.log >/dev/null || echo DPD failed
west #
 # confirm --down is processed properly too
west #
 ipsec auto --down westnet-eastnet-ikev1
"westnet-eastnet-ikev1": terminating SAs using this connection
"westnet-eastnet-ikev1" #2: deleting IPsec SA (QUICK_I2) and sending notification using ISAKMP SA #1
"westnet-eastnet-ikev1" #2: ESP traffic information: in=84B out=84B XAUTHuser=use3
"westnet-eastnet-ikev1" #1: deleting ISAKMP SA (MAIN_I4) and sending notification
west #
 echo done
done
west #
 if [ -f /var/run/pluto/pluto.pid ]; then ../../guestbin/ipsec-kernel-state.sh ; fi
west #
 if [ -f /var/run/pluto/pluto.pid ]; then ../../guestbin/ipsec-kernel-policy.sh ; fi
west #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then strongswan status ; fi
west #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then grep "received DELETE for ESP CHILD_SA with SPI" /tmp/charon.log > /dev/null || echo "DELETE FAILED"; fi
west #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then grep "processing failed" /tmp/charon.log; fi
west #
 
