1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
/testing/guestbin/swan-prep
west #
ipsec start
Redirecting to: [initsystem]
west #
/testing/pluto/bin/wait-until-pluto-started
west #
ipsec whack --impair suppress-retransmits
west #
ipsec auto --add westnet-eastnet
002 "westnet-eastnet": added IKEv1 connection
west #
ipsec auto --add westnet-eastnet-22
002 "westnet-eastnet-22": added passthrough connection
west #
ipsec auto --route westnet-eastnet-22
west #
echo "initdone"
initdone
west #
ipsec auto --up westnet-eastnet
002 "westnet-eastnet" #1: initiating IKEv1 Main Mode connection
1v1 "westnet-eastnet" #1: sent Main Mode request
1v1 "westnet-eastnet" #1: sent Main Mode I2
1v1 "westnet-eastnet" #1: sent Main Mode I3
002 "westnet-eastnet" #1: Peer ID is ID_FQDN: '@east'
003 "westnet-eastnet" #1: authenticated using RSA with SHA-1
004 "westnet-eastnet" #1: IKE SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "westnet-eastnet" #2: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO
1v1 "westnet-eastnet" #2: sent Quick Mode request
004 "westnet-eastnet" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
west #
# counters are zero
west #
ipsec whack --trafficstatus
006 #2: "westnet-eastnet", type=ESP, add_time=1234567890, inBytes=0, outBytes=0, id='@east'
west #
echo take-passthrough-unencrpted | nc -s 192.0.1.254 192.0.2.254 22
SSH-2.0-OpenSSH_XXX
Invalid SSH identification string.
west #
# still zero
west #
ipsec whack --trafficstatus
006 #2: "westnet-eastnet", type=ESP, add_time=1234567890, inBytes=0, outBytes=0, id='@east'
west #
echo take-conn-encrypted | nc -s 192.0.1.254 192.0.2.254 222
Ncat: Connection refused.
west #
# this moved through the tunnel, so non-zero
west #
# workaround for diff err msg between fedora versions resulting in diff byte count
west #
ipsec whack --trafficstatus | grep -v "inBytes=0" | sed "s/type=ESP.*$/[...]/"
006 #2: "westnet-eastnet", [...]
west #
echo done
done
west #
../../pluto/bin/ipsec-look.sh
west NOW
XFRM state:
src 192.1.2.23 dst 192.1.2.45
proto esp spi 0xSPISPI reqid REQID mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xHASHKEY 96
enc cbc(aes) 0xENCKEY
src 192.1.2.45 dst 192.1.2.23
proto esp spi 0xSPISPI reqid REQID mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xHASHKEY 96
enc cbc(aes) 0xENCKEY
XFRM policy:
src 192.0.1.0/24 dst 192.0.2.0/24 proto tcp dport 22
dir out priority 1691598 ptype main
src 192.0.2.0/24 dst 192.0.1.0/24 proto tcp sport 22
dir fwd priority 1691598 ptype main
src 192.0.2.0/24 dst 192.0.1.0/24 proto tcp sport 22
dir in priority 1691598 ptype main
src 192.0.1.0/24 dst 192.0.2.0/24
dir out priority 2084814 ptype main
tmpl src 192.1.2.45 dst 192.1.2.23
proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
dir fwd priority 2084814 ptype main
tmpl src 192.1.2.23 dst 192.1.2.45
proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
dir in priority 2084814 ptype main
tmpl src 192.1.2.23 dst 192.1.2.45
proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
NSS_CERTIFICATES
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
west #
../bin/check-for-core.sh
west #
if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
west #
|
