/testing/guestbin/swan-prep --userland strongswan --x509
west #
 # confirm that the network is alive
west #
 ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm clear text does not get through
west #
 ../../pluto/bin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 ../../pluto/bin/strongswan-start.sh
west #
 echo "initdone"
initdone
west #
 strongswan up westnet-eastnet-ikev2 | grep -v libcurl
initiating IKE_SA westnet-eastnet-ikev2[1] to 192.1.2.23
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
peer didn't accept DH group ECP_256, it requested MODP_2048
initiating IKE_SA westnet-eastnet-ikev2[1] to 192.1.2.23
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(HASH_ALG) N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/MODP_2048
received cert request for "C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=Libreswan test CA for mainca, E=testing@libreswan.org"
authentication of 'C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=west.testing.libreswan.org, E=user-west@testing.libreswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
establishing CHILD_SA westnet-eastnet-ikev2{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.1.2.45[4500] to 192.1.2.23[4500] (XXX bytes)
received packet: from 192.1.2.23[4500] to 192.1.2.45[4500] (XXX bytes)
parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
received AUTHENTICATION_FAILED notify error
establishing connection 'westnet-eastnet-ikev2' failed
west #
 ping -n -c4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time XXXX
west #
 # hash algorithm notication should NOT be received
west #
 grep SIGNATURE_HASH_ALGO /tmp/charon.log | cut -f 2 -d "]"
 received SIGNATURE_HASH_ALGORITHMS notify
west #
 echo done
done
west #
 if [ -f /var/run/pluto/pluto.pid ]; then ../../pluto/bin/ipsec-look.sh ; fi
west #
 # expect state #2, state #1 responded with INVALID_KE
west #
 if [ -f /var/run/pluto/pluto.pid ]; then grep "authenticated using RSA" /tmp/pluto.log ; fi
west #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then strongswan status ; fi
Shunted Connections:
Bypass LAN 192.0.1.0/24:  192.0.1.0/24 === 192.0.1.0/24 PASS
Bypass LAN 192.1.2.0/24:  192.1.2.0/24 === 192.1.2.0/24 PASS
Security Associations (0 up, 0 connecting):
  none
west #
 ../bin/check-for-core.sh
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi