/testing/guestbin/swan-prep --hostkeys Creating NSS database containing host keys west # ipsec start Redirecting to: [initsystem] west # ../../guestbin/wait-until-pluto-started west # ipsec whack --impair suppress_retransmits west # ipsec auto --add westnet-eastnet "westnet-eastnet": added IKEv1 connection west # ipsec auto --add westnet-eastnet-7 "westnet-eastnet-7": added passthrough connection west # ipsec auto --route westnet-eastnet-7 west # echo "initdone" initdone west # ipsec auto --up westnet-eastnet "westnet-eastnet" #1: initiating IKEv1 Main Mode connection "westnet-eastnet" #1: sent Main Mode request "westnet-eastnet" #1: sent Main Mode I2 "westnet-eastnet" #1: sent Main Mode I3 "westnet-eastnet" #1: Peer ID is ID_FQDN: '@east' "westnet-eastnet" #1: authenticated peer using preloaded certificate '@east' and 2nnn-bit RSA with SHA1 signature "westnet-eastnet" #1: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048} "westnet-eastnet" #2: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES "westnet-eastnet" #2: sent Quick Mode request "westnet-eastnet" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 DPD=passive} west # # counters are zero west # ipsec whack --trafficstatus #2: "westnet-eastnet", type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='@east' west # echo take-passthrough-unencrpted | nc -s 192.0.1.254 192.0.2.254 7 take-passthrough-unencrpted west # # still zero west # ipsec whack --trafficstatus #2: "westnet-eastnet", type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='@east' west # echo take-conn-encrypted | nc -s 192.0.1.254 192.0.2.254 222 Ncat: Connection refused. west # # this moved through the tunnel, so non-zero west # # workaround for diff err msg between fedora versions resulting in diff byte count west # ipsec whack --trafficstatus | grep -v "inBytes=0" | sed "s/type=ESP.*$/[...]/" #2: "westnet-eastnet", [...] west # echo done done west # ../../guestbin/ipsec-kernel-state.sh src 192.1.2.45 dst 192.1.2.23 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec auth-trunc hmac(sha1) 0xHASHKEY 96 enc cbc(aes) 0xENCKEY lastused YYYY-MM-DD HH:MM:SS src 192.1.2.23 dst 192.1.2.45 proto esp spi 0xSPISPI reqid REQID mode tunnel replay-window 0 flag af-unspec auth-trunc hmac(sha1) 0xHASHKEY 96 enc cbc(aes) 0xENCKEY lastused YYYY-MM-DD HH:MM:SS anti-replay esn context: seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX replay_window 128, bitmap-length 4 00000000 00000000 00000000 XXXXXXXX west # ../../guestbin/ipsec-kernel-policy.sh src 192.0.1.0/24 dst 192.0.2.0/24 proto tcp dport 7 dir out priority PRIORITY ptype main src 192.0.2.0/24 dst 192.0.1.0/24 proto tcp sport 7 dir fwd priority PRIORITY ptype main src 192.0.2.0/24 dst 192.0.1.0/24 proto tcp sport 7 dir in priority PRIORITY ptype main src 192.0.1.0/24 dst 192.0.2.0/24 dir out priority PRIORITY ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto esp reqid REQID mode tunnel src 192.0.2.0/24 dst 192.0.1.0/24 dir fwd priority PRIORITY ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid REQID mode tunnel src 192.0.2.0/24 dst 192.0.1.0/24 dir in priority PRIORITY ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto esp reqid REQID mode tunnel west #