1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
/testing/guestbin/swan-prep
north #
../../guestbin/wait-until-alive -I 192.0.3.254 192.0.2.254
destination -I 192.0.3.254 192.0.2.254 is alive
north #
# ensure that clear text does not get through
north #
iptables -A INPUT -i eth1 -s 192.0.2.254/32 -j DROP
north #
iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
north #
# confirm clear text does not get through
north #
../../guestbin/ping-once.sh --down -I 192.0.3.254 192.0.2.254
down
north #
ipsec start
Redirecting to: [initsystem]
north #
../../guestbin/wait-until-pluto-started
north #
ipsec auto --add northnet-eastnet-nonat
"northnet-eastnet-nonat": added IKEv1 connection
north #
echo "initdone"
initdone
north #
ipsec auto --up northnet-eastnet-nonat
"northnet-eastnet-nonat" #1: initiating IKEv1 Main Mode connection
"northnet-eastnet-nonat" #1: sent Main Mode request
"northnet-eastnet-nonat" #1: sent Main Mode I2
"northnet-eastnet-nonat" #1: sent Main Mode I3
"northnet-eastnet-nonat" #1: Peer ID is ID_FQDN: '@east'
"northnet-eastnet-nonat" #1: authenticated peer using preloaded certificate '@east' and 2nnn-bit RSA with SHA1 signature
"northnet-eastnet-nonat" #1: ISAKMP SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
"northnet-eastnet-nonat" #2: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES
"northnet-eastnet-nonat" #2: sent Quick Mode request
"northnet-eastnet-nonat" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 DPD=passive}
north #
../../guestbin/ping-once.sh --up -I 192.0.3.254 192.0.2.254
up
north #
ipsec whack --trafficstatus
#2: "northnet-eastnet-nonat", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='@east'
north #
echo done
done
north #
../../guestbin/ipsec-look.sh
north NOW
XFRM state:
src 192.1.2.23 dst 192.1.3.33
proto esp spi 0xSPISPI reqid REQID mode tunnel
replay-window 0 flag af-unspec
auth-trunc hmac(sha1) 0xHASHKEY 96
enc cbc(aes) 0xENCKEY
lastused YYYY-MM-DD HH:MM:SS
anti-replay esn context:
seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
replay_window 128, bitmap-length 4
00000000 00000000 00000000 XXXXXXXX
src 192.1.3.33 dst 192.1.2.23
proto esp spi 0xSPISPI reqid REQID mode tunnel
replay-window 0 flag af-unspec
auth-trunc hmac(sha1) 0xHASHKEY 96
enc cbc(aes) 0xENCKEY
lastused YYYY-MM-DD HH:MM:SS
anti-replay esn context:
seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
replay_window 128, bitmap-length 4
00000000 00000000 00000000 XXXXXXXX
XFRM policy:
src 192.0.2.0/24 dst 192.0.3.0/24
dir fwd priority PRIORITY ptype main
tmpl src 192.1.2.23 dst 192.1.3.33
proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.3.0/24
dir in priority PRIORITY ptype main
tmpl src 192.1.2.23 dst 192.1.3.33
proto esp reqid REQID mode tunnel
src 192.0.3.0/24 dst 192.0.2.0/24
dir out priority PRIORITY ptype main
tmpl src 192.1.3.33 dst 192.1.2.23
proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth1
192.0.1.0/24 via 192.1.3.254 dev eth1
192.0.2.0/24 via 192.1.3.254 dev eth1
192.0.3.0/24 dev eth0 proto kernel scope link src 192.0.3.254
192.1.2.0/24 via 192.1.3.254 dev eth1
192.1.3.0/24 dev eth1 proto kernel scope link src 192.1.3.33
NSS_CERTIFICATES
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
north #
|
