/testing/guestbin/swan-prep --userland strongswan
west #
 # confirm that the network is alive
west #
 ../../guestbin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm clear text does not get through
west #
 ../../guestbin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 ../../guestbin/strongswan-start.sh
west #
 echo "initdone"
initdone
west #
 swanctl --initiate --child westnet-eastnet-ikev1 --loglevel 1
[IKE] initiating Main Mode IKE_SA westnet-eastnet-ikev1[1] to 192.1.2.23
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
[NET] received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V ]
[IKE] received FRAGMENTATION vendor ID
[IKE] received DPD vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
[NET] received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
[NET] sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
[NET] received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
[ENC] parsed ID_PROT response 0 [ ID HASH ]
[IKE] IKE_SA westnet-eastnet-ikev1[1] established between 192.1.2.45[west]...192.1.2.23[east]
[IKE] scheduling reauthentication in XXXs
[IKE] maximum IKE_SA lifetime XXXs
[ENC] generating QUICK_MODE request 0123456789 [ HASH SA No ID ID ]
[NET] sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
[NET] received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
[ENC] parsed QUICK_MODE response 0123456789 [ HASH SA No ID ID ]
[CFG] selected proposal: AH:HMAC_SHA2_512_256/NO_EXT_SEQ
[IKE] CHILD_SA westnet-eastnet-ikev1{1} established with SPIs SPISPI_i SPISPI_o and TS 192.0.1.0/24 === 192.0.2.0/24
initiate completed successfully
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 ../../guestbin/ipsec-kernel-policy.sh
src 192.0.1.0/24 dst 192.0.1.0/24
	dir fwd priority PRIORITY ptype main
src 192.0.1.0/24 dst 192.0.1.0/24
	dir in priority PRIORITY ptype main
src 192.0.1.0/24 dst 192.0.1.0/24
	dir out priority PRIORITY ptype main
src 192.1.2.0/24 dst 192.1.2.0/24
	dir fwd priority PRIORITY ptype main
src 192.1.2.0/24 dst 192.1.2.0/24
	dir in priority PRIORITY ptype main
src 192.1.2.0/24 dst 192.1.2.0/24
	dir out priority PRIORITY ptype main
src 192.0.1.0/24 dst 192.0.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto ah spi 0xSPISPI reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto ah reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto ah reqid REQID mode tunnel
west #
 ../../guestbin/ipsec-kernel-state.sh
src 192.1.2.45 dst 192.1.2.23
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec align4
	auth-trunc hmac(sha512) 0xHASHKEY 256
	lastused YYYY-MM-DD HH:MM:SS
src 192.1.2.23 dst 192.1.2.45
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec align4
	auth-trunc hmac(sha512) 0xHASHKEY 256
	lastused YYYY-MM-DD HH:MM:SS
west #
 if [ -f /var/run/pluto/pluto.pid ]; then ../../guestbin/ipsec-kernel-state.sh ; fi
west #
 if [ -f /var/run/pluto/pluto.pid ]; then ../../guestbin/ipsec-kernel-policy.sh ; fi
west #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then strongswan status ; fi
Shunted Connections:
Bypass LAN 192.0.1.0/24:  192.0.1.0/24 === 192.0.1.0/24 PASS
Bypass LAN 192.1.2.0/24:  192.1.2.0/24 === 192.1.2.0/24 PASS
Security Associations (1 up, 0 connecting):
westnet-eastnet-ikev1[1]: ESTABLISHED XXX second ago, 192.1.2.45[west]...192.1.2.23[east]
westnet-eastnet-ikev1{1}:  INSTALLED, TUNNEL, reqid 1, AH SPIs: SPISPI_i SPISPI_o
westnet-eastnet-ikev1{1}:   192.0.1.0/24 === 192.0.2.0/24
west #
 
