File: road.console.txt

package info (click to toggle)
libreswan 5.2-2.3
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 81,644 kB
  • sloc: ansic: 129,988; sh: 32,018; xml: 20,646; python: 10,303; makefile: 3,022; javascript: 1,506; sed: 574; yacc: 511; perl: 264; awk: 52
file content (189 lines) | stat: -rw-r--r-- 6,303 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
 
/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
road #
 cp policies/* /etc/ipsec.d/policies/
road #
 echo "192.1.2.0/24"  >> /etc/ipsec.d/policies/private
road #
 ipsec start
Redirecting to: [initsystem]
road #
 ../../guestbin/wait-until-pluto-started
road #
 # ensure for tests acquires expire before our failureshunt=2m
road #
 echo 30 > /proc/sys/net/core/xfrm_acq_expires
road #
 # give OE policies time to load
road #
 ../../guestbin/wait-for.sh --match 'loaded 10' -- ipsec auto --status
Total IPsec connections: loaded 10, active 0
road #
 ip -s xfrm monitor > /tmp/xfrm-monitor.out & sleep 1
[x] PID
road #
 echo "initdone"
initdone
road #
 ../../guestbin/ping-once.sh --down -I 192.1.3.209 192.1.2.23
down
road #
 # wait on OE retransmits and rekeying
road #
 sleep 5
road #
 # should show tunnel and no shunts
road #
 ipsec whack --trafficstatus
#2: "private#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='ID_NULL'
road #
 ipsec whack --shuntstatus
Bare Shunt list:
 
road #
 ../../guestbin/ipsec-kernel-state.sh
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 0, bitmap-length 0
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0x00000000 reqid 0 mode transport
	replay-window 0 
	sel src 192.1.3.209/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth0 
road #
 ../../guestbin/ipsec-kernel-policy.sh
src 192.1.2.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.2.23/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority PRIORITY ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 killall ip > /dev/null 2> /dev/null
road #
 cp /tmp/xfrm-monitor.out OUTPUT/road.xfrm-monitor.txt
road #
 # ping should succeed through tunnel
road #
 ../../guestbin/ping-once.sh --up -I 192.1.3.209 192.1.2.23
up
road #
 echo done
done
road #
 ../../guestbin/ipsec-kernel-state.sh
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 0, bitmap-length 0
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0x00000000 reqid 0 mode transport
	replay-window 0 
	sel src 192.1.3.209/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth0 
road #
 ../../guestbin/ipsec-kernel-policy.sh
src 192.1.2.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.2.23/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority PRIORITY ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 # should show tunnel
road #
 grep "^[^|].* established Child SA" /tmp/pluto.log
"private#192.1.2.0/24"[1] ...192.1.2.23 #2: initiator established Child SA using #1; IPsec tunnel [192.1.3.209/32===192.1.2.23/32] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE DPD=passive}
road #