/testing/guestbin/swan-prep
west #
 ipsec start
Redirecting to: [initsystem]
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 # left as example/test for manually calling whack
west #
 ipsec whack --label 'SAwest-east leftrsasigkey'  --keyid "@west" --pubkeyrsa "0sAQOm9dY/449sAWr8e3xtV4tJOQ1396zihfGYHkttpT6zlprRmVq8EPKX3vIo+V+SCfDI1BLkYG6cYJgQAX0mt4+VYi2H3c3e9tOPNbBQ0Bj1mfgE8f9hW7x/H8AE2OSMrDStesHaPC2MMK7WPFmxOpTT1Spzkb1ZXz5yv0obncWyK03nDSQ+d/l/LdadKe9wfXptorhhDEsJSgZxhHCFmo9SoYAG/cb8Pif6Fvoyg6nKgNsPSr/36VWOvSlNI6bcKrNdYqkhHr6D2Gk8AwpIjtM6EfKGWtEwZb3I9IOH/wSHMwVP4NiM/rMZTN2FQPNNbuhJFAYsH1lZBY8gsMpGP8kgfgQwfZqAbD8KiffTr9gVBDf5"
west #
 ipsec whack --label 'SAwest-east rightrsasigkey'  --keyid "@east" --pubkeyrsa "0sAQO9bJbr33iJs+13DaF/e+UWwsnkfZIKkJ1VQ7RiEwOFeuAme1QfygmTz/8lyQJMeMqU5T6s0fmo5bt/zCCE4CHJ8A3FRLrzSGRhWPYPYw3SZx5Zi+zzUDlx+znaEWS2Ys1f040uwVDtnG4iDDmnzmK1r4qADy5MBVyCx40pAi67I1/b8p61feIgcBpj845drEfwXCZOsdBCYFJKsHclzuCYK0P0x1kaZAGD6k7jGiqSuFWrY91LcEcp3Om0YL9DTViPZHOVcKw1ibLCnNRiwF9WX60b5d1Jk2r1I4Lt1OfV8VXyLaImpjZTL5T7mSJcR8xtgDCIljgM9fLtN9AJ1QePae+pmc5NGneeOcQ488VRUUjv"
west #
 ipsec whack --name SAwest-east --ikev1 --encrypt --tunnel --pfs --rsasig --host "192.1.2.45"  --nexthop "192.1.2.23" --updown "ipsec _updown" --id "@west" --to --host "192.1.2.23"  --nexthop "192.1.2.45" --updown "ipsec _updown" --id "@east" --ipseclifetime "28800" --keyingtries "3" --no-esn
002 "SAwest-east": added IKEv1 connection
west #
 # we can transmit in the clear
west #
 ping -q -c 4 -n 192.1.2.23
PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 # bring up the tunnel
west #
 ipsec auto --up SAwest-east
002 "SAwest-east" #1: initiating IKEv1 Main Mode connection
1v1 "SAwest-east" #1: sent Main Mode request
1v1 "SAwest-east" #1: sent Main Mode I2
1v1 "SAwest-east" #1: sent Main Mode I3
002 "SAwest-east" #1: Peer ID is ID_FQDN: '@east'
003 "SAwest-east" #1: authenticated using RSA with SHA-1
004 "SAwest-east" #1: IKE SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "SAwest-east" #2: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+TUNNEL+PFS+UP+ESN_NO
1v1 "SAwest-east" #2: sent Quick Mode request
004 "SAwest-east" #2: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=none NATD=none DPD=passive}
west #
 # use the tunnel
west #
 ping -q -c 4 -n 192.1.2.23
PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 # show the tunnel!
west #
 ipsec whack --trafficstatus
006 #2: "SAwest-east", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, id='@east'
west #
 # "Time to shut down my computer!"...
west #
 ipsec whack --shutdown
west #
 # ...but unless the delete SA is acknowledged, this ping will fail,
west #
 # as our peer still routed us
west #
 sleep 5
west #
 ping -q -c 4 -n 192.1.2.23
PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 echo done
done
west #
 ../../pluto/bin/ipsec-look.sh
west NOW
XFRM state:
XFRM policy:
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west #
 # up to 3.26 we printed a bogus message, this is checking that no longer happens
west #
 grep "received and ignored empty informational" /tmp/pluto.log
west #
 ../bin/check-for-core.sh
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi
west #
 
