/testing/guestbin/swan-prep north # ../../guestbin/wait-until-alive -I 192.0.3.254 192.0.2.254 destination -I 192.0.3.254 192.0.2.254 is alive north # # ensure that clear text does not get through north # iptables -A INPUT -i eth1 -s 192.0.2.254/32 -j DROP north # iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT north # # confirm clear text does not get through north # ../../guestbin/ping-once.sh --down -I 192.0.3.254 192.0.2.254 down north # ipsec start Redirecting to: [initsystem] north # ../../guestbin/wait-until-pluto-started north # ipsec auto --add northnet-eastnet-nonat "northnet-eastnet-nonat": added IKEv1 connection north # echo "initdone" initdone north # ipsec auto --up northnet-eastnet-nonat "northnet-eastnet-nonat" #1: initiating IKEv1 Main Mode connection "northnet-eastnet-nonat" #1: sent Main Mode request "northnet-eastnet-nonat" #1: sent Main Mode I2 "northnet-eastnet-nonat" #1: sent Main Mode I3 "northnet-eastnet-nonat" #1: Peer ID is ID_FQDN: '@east' "northnet-eastnet-nonat" #1: authenticated peer using preloaded certificate '@east' and 2nnn-bit RSA with SHA1 signature "northnet-eastnet-nonat" #1: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} "northnet-eastnet-nonat" #2: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES "northnet-eastnet-nonat" #2: sent Quick Mode request "northnet-eastnet-nonat" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 DPD=passive} north # ../../guestbin/ping-once.sh --up -I 192.0.3.254 192.0.2.254 up north # ipsec whack --trafficstatus #2: "northnet-eastnet-nonat", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='@east' north # echo done done north # ../../guestbin/ipsec-look.sh north NOW XFRM state: src 192.1.2.23 dst 192.1.3.33 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec auth-trunc hmac(sha1) 0xHASHKEY 96 enc cbc(aes) 0xENCKEY lastused YYYY-MM-DD HH:MM:SS anti-replay esn context: seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX replay_window 128, bitmap-length 4 00000000 00000000 00000000 XXXXXXXX src 192.1.3.33 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec auth-trunc hmac(sha1) 0xHASHKEY 96 enc cbc(aes) 0xENCKEY lastused YYYY-MM-DD HH:MM:SS anti-replay esn context: seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX replay_window 128, bitmap-length 4 00000000 00000000 00000000 XXXXXXXX XFRM policy: src 192.0.2.0/24 dst 192.0.3.0/24 dir fwd priority PRIORITY ptype main tmpl src 192.1.2.23 dst 192.1.3.33 proto esp reqid REQID mode tunnel src 192.0.2.0/24 dst 192.0.3.0/24 dir in priority PRIORITY ptype main tmpl src 192.1.2.23 dst 192.1.3.33 proto esp reqid REQID mode tunnel src 192.0.3.0/24 dst 192.0.2.0/24 dir out priority PRIORITY ptype main tmpl src 192.1.3.33 dst 192.1.2.23 proto esp reqid REQID mode tunnel XFRM done IPSEC mangle TABLES ROUTING TABLES default via 192.1.3.254 dev eth1 192.0.1.0/24 via 192.1.3.254 dev eth1 192.0.2.0/24 via 192.1.3.254 dev eth1 192.0.3.0/24 dev eth0 proto kernel scope link src 192.0.3.254 192.1.2.0/24 via 192.1.3.254 dev eth1 192.1.3.0/24 dev eth1 proto kernel scope link src 192.1.3.33 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI north #