File: west.console.txt

package info (click to toggle)
libreswan 5.2-2.3
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 81,644 kB
  • sloc: ansic: 129,988; sh: 32,018; xml: 20,646; python: 10,303; makefile: 3,022; javascript: 1,506; sed: 574; yacc: 511; perl: 264; awk: 52
file content (190 lines) | stat: -rw-r--r-- 8,859 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
 
/testing/guestbin/swan-prep --hostkeys
Creating NSS database containing host keys
west #
 # confirm that the network is alive
west #
 ../../guestbin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add westnet-eastnet
"westnet-eastnet": added IKEv1 connection
west #
 ipsec auto --status
using kernel interface: xfrm
 
interface lo 127.0.0.1:UDP/4500 (NAT)
interface lo 127.0.0.1:UDP/500
interface eth0 192.0.1.254:UDP/4500 (NAT)
interface eth0 192.0.1.254:UDP/500
interface eth1 192.1.2.45:UDP/4500 (NAT)
interface eth1 192.1.2.45:UDP/500
 
fips mode=disabled;
SElinux=XXXXX
seccomp=OFF
 
config setup options:
 
configdir=/etc, configfile=/etc/ipsec.conf, secrets=/etc/ipsec.secrets, ipsecdir=/etc/ipsec.d
sbindir=PATH/sbin, libexecdir=PATH/libexec/ipsec
nhelpers=-1, uniqueids=yes, dnssec-enable=yes, shuntlifetime=900s, xfrmlifetime=30s
logfile='/tmp/pluto.log', logappend=no, logip=yes, audit-log=yes
ddos-cookies-threshold=25000, ddos-max-halfopen=50000, ddos-mode=auto, ikev1-policy=accept
ikebuf=0, msg_errqueue=yes, crl-strict=no, crlcheckinterval=0, listen=<any>, nflog-all=0
ocsp-enable=no, ocsp-strict=no, ocsp-timeout=2, ocsp-uri=<unset>
ocsp-trust-name=<unset>
ocsp-cache-size=1000, ocsp-cache-min-age=3600, ocsp-cache-max-age=86400, ocsp-method=get
global-redirect=no, global-redirect-to=<unset>
debug ...
 
nat-traversal: keep-alive=20, nat-ikeport=4500
virtual-private (%priv):
 
Kernel algorithms supported:
 
algorithm ESP encrypt: name=3DES_CBC, keysizemin=192, keysizemax=192
algorithm ESP encrypt: name=AES_CBC, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_CCM_12, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_CCM_16, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_CCM_8, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_CTR, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_GCM_12, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_GCM_16, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=AES_GCM_8, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=CAMELLIA_CBC, keysizemin=128, keysizemax=256
algorithm ESP encrypt: name=CHACHA20_POLY1305, keysizemin=256, keysizemax=256
algorithm ESP encrypt: name=NULL, keysizemin=0, keysizemax=0
algorithm ESP encrypt: name=NULL_AUTH_AES_GMAC, keysizemin=128, keysizemax=256
algorithm AH/ESP auth: name=AES_CMAC_96, key-length=128
algorithm AH/ESP auth: name=AES_XCBC_96, key-length=128
algorithm AH/ESP auth: name=HMAC_MD5_96, key-length=128
algorithm AH/ESP auth: name=HMAC_SHA1_96, key-length=160
algorithm AH/ESP auth: name=HMAC_SHA2_256_128, key-length=256
algorithm AH/ESP auth: name=HMAC_SHA2_256_TRUNCBUG, key-length=256
algorithm AH/ESP auth: name=HMAC_SHA2_384_192, key-length=384
algorithm AH/ESP auth: name=HMAC_SHA2_512_256, key-length=512
algorithm AH/ESP auth: name=NONE, key-length=0
 
IKE algorithms supported:
 
algorithm IKE encrypt: v1id=5, v1name=OAKLEY_3DES_CBC, v2id=3, v2name=3DES, blocksize=8, keydeflen=192
algorithm IKE encrypt: v1id=8, v1name=OAKLEY_CAMELLIA_CBC, v2id=23, v2name=CAMELLIA_CBC, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=20, v2name=AES_GCM_16, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=19, v2name=AES_GCM_12, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=18, v2name=AES_GCM_8, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=13, v1name=OAKLEY_AES_CTR, v2id=13, v2name=AES_CTR, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=7, v1name=OAKLEY_AES_CBC, v2id=12, v2name=AES_CBC, blocksize=16, keydeflen=128
algorithm IKE encrypt: v1id=-1, v1name=n/a, v2id=28, v2name=CHACHA20_POLY1305, blocksize=16, keydeflen=256
algorithm IKE PRF: name=HMAC_MD5, hashlen=16
algorithm IKE PRF: name=HMAC_SHA1, hashlen=20
algorithm IKE PRF: name=HMAC_SHA2_256, hashlen=32
algorithm IKE PRF: name=HMAC_SHA2_384, hashlen=48
algorithm IKE PRF: name=HMAC_SHA2_512, hashlen=64
algorithm IKE PRF: name=AES_XCBC, hashlen=16
algorithm IKE DH Key Exchange: name=MODP1536, bits=1536
algorithm IKE DH Key Exchange: name=MODP2048, bits=2048
algorithm IKE DH Key Exchange: name=MODP3072, bits=3072
algorithm IKE DH Key Exchange: name=MODP4096, bits=4096
algorithm IKE DH Key Exchange: name=MODP6144, bits=6144
algorithm IKE DH Key Exchange: name=MODP8192, bits=8192
algorithm IKE DH Key Exchange: name=DH19, bits=512
algorithm IKE DH Key Exchange: name=DH20, bits=768
algorithm IKE DH Key Exchange: name=DH21, bits=1056
algorithm IKE DH Key Exchange: name=DH31, bits=256
 
stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0} 
 
Connection list:
 
"westnet-eastnet": 192.0.1.0/24===192.1.2.45[@west]...192.1.2.23[@east]===192.0.2.0/24; unrouted; my_ip=unset; their_ip=unset;
"westnet-eastnet":   host: oriented; local: 192.1.2.45; remote: 192.1.2.23;
"westnet-eastnet":   my_updown=ipsec _updown;
"westnet-eastnet":   xauth us:none, xauth them:none,  my_username=[any]; their_username=[any]
"westnet-eastnet":   our auth:rsasig, their auth:rsasig, our autheap:none, their autheap:none;
"westnet-eastnet":   modecfg info: us:none, them:none, modecfg policy:push, dns:unset, domains:unset, cat:unset;
"westnet-eastnet":   sec_label:unset;
"westnet-eastnet":   ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 2^63; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%;
"westnet-eastnet":   iptfs: no; fragmentation: yes; packet-size: 0; max-queue-size: 0; drop-time: 0; init-delay: 0; reorder-window: 0;
"westnet-eastnet":   retransmit-interval: 9999ms; retransmit-timeout: 99s; iketcp:no; iketcp-port:4500;
"westnet-eastnet":   initial-contact:no; cisco-unity:no; fake-strongswan:no; send-vendorid:no; send-no-esp-tfc:no;
"westnet-eastnet":   policy: IKEv1+RSASIG+ENCRYPT+TUNNEL+PFS+IKE_FRAG_ALLOW+ESN_NO+ESN_YES;
"westnet-eastnet":   conn_prio: 24,24,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; sa_tfc:none;
"westnet-eastnet":   nflog-group: unset; mark: unset; vti-iface:unset; vti-routing:no; vti-shared:no; nic-offload:no;
"westnet-eastnet":   our idtype: ID_FQDN; our id=@west; their idtype: ID_FQDN; their id=@east
"westnet-eastnet":   dpd: passive; delay:0s; timeout:0s
"westnet-eastnet":   nat-traversal: encapsulation:auto; keepalive:20s; ikev1-method:rfc+drafts
"westnet-eastnet":   routing: unrouted;
"westnet-eastnet":   conn serial: $1;
 
Total IPsec connections: loaded 1, active 0
 
State Information: DDoS cookies not required, Accepting new IKE connections
IKE SAs: total(0), half-open(0), open(0), authenticated(0), anonymous(0)
IPsec SAs: total(0), authenticated(0), anonymous(0)
 
Bare Shunt list:
 
west #
 echo "initdone"
initdone
west #
 ipsec auto --up westnet-eastnet
"westnet-eastnet" #1: initiating IKEv1 Main Mode connection
"westnet-eastnet" #1: sent Main Mode request
"westnet-eastnet" #1: sent Main Mode I2
"westnet-eastnet" #1: sent Main Mode I3
"westnet-eastnet" #1: Peer ID is ID_FQDN: '@east'
"westnet-eastnet" #1: authenticated peer using preloaded certificate '@east' and 2nnn-bit RSA with SHA1 signature
"westnet-eastnet" #1: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
"westnet-eastnet" #2: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES
"westnet-eastnet" #2: sent Quick Mode request
"westnet-eastnet" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 DPD=passive}
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 ipsec whack --trafficstatus
#2: "westnet-eastnet", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='@east'
west #
 # cause cleartext failure
west #
 ip xfrm policy flush
west #
 # should cause failures on east
west #
 ../../guestbin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 echo done
done
west #
 ../../guestbin/ipsec-kernel-state.sh
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
	lastused YYYY-MM-DD HH:MM:SS
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
	lastused YYYY-MM-DD HH:MM:SS
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
west #
 ../../guestbin/ipsec-kernel-policy.sh
west #
 # normally xfrmcheck should never fail, but this tests the test (on east) :)
west #
 ../../guestbin/xfrmcheck.sh
west #