/testing/guestbin/swan-prep west # # confirm that the network is alive west # ping -n -c 4 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. 64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms west # # make sure that clear text does not get through west # iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP west # # confirm with a ping west # ping -n -c 4 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. [ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=1 [ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=2 [ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=3 [ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=4 --- 192.0.2.254 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time XXXX west # # adding some routes to sow confusion on purpose west # ip route add 192.168.1.1 via 192.0.1.254 dev eth0 west # ip route add 192.168.1.2 via 192.1.2.45 dev eth1 west # ip route add 192.168.1.16/28 via 192.1.2.45 dev eth1 west # ip route add 25.1.0.0/16 via 192.0.1.254 west # ip route add 25.2.0.0/16 via 192.1.2.45 west # ipsec setup start [ 00.00] registered KLIPS /proc/sys/net [ 00.00] ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0 [ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=12 name=cbc(aes) keyminbits=128 keymaxbits=256, found(0) [ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=253 name=cbc(twofish) keyminbits=128 keymaxbits=256, found(0) [ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=252 name=cbc(serpent) keyminbits=128 keymaxbits=256, found(0) [ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=6 name=cbc(cast5) keyminbits=128 keymaxbits=128, found(0) [ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=3 name=cbc(des3_ede) keyminbits=192 keymaxbits=192, found(0) [ 00.00] KLIPS: lookup for ciphername=cipher_null: not found [ 00.00] Redirecting to: systemctl start ipsec.service [ 00.00] west # /testing/pluto/bin/wait-until-pluto-started west # ipsec auto --add westnet-all 002 added connection description "westnet-all" west # ip route list default via 192.1.2.254 dev eth1 25.1.0.0/16 via 192.0.1.254 dev eth0 25.2.0.0/16 via 192.1.2.45 dev eth1 169.254.0.0/16 dev eth0 scope link metric 1002 169.254.0.0/16 dev eth1 scope link metric 1003 169.254.0.0/16 dev eth2 scope link metric 1004 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 192.9.4.0/24 dev eth2 proto kernel scope link src 192.9.4.45 192.168.1.1 via 192.0.1.254 dev eth0 192.168.1.2 via 192.1.2.45 dev eth1 192.168.1.16/28 via 192.1.2.45 dev eth1 west # for i in `seq 1 12`; do ipsec auto --add orient$i; done 002 added connection description "orient1" 002 added connection description "orient2" 002 added connection description "orient3" 002 added connection description "orient4" 002 added connection description "orient5" 002 added connection description "orient6" 002 added connection description "orient7" 002 added connection description "orient8" 002 added connection description "orient9" 002 added connection description "orient10" 002 added connection description "orient11" 002 added connection description "orient12" west # ipsec auto --status |grep orient |grep "eroute owner" 000 "orient1": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0 000 "orient10": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient11": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient12": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient2": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0 000 "orient3": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0 000 "orient4": 192.1.2.45---192.1.2.254...%any; unrouted; eroute owner: #0 000 "orient5": 192.1.2.45<192.1.2.45>...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient6": 192.1.2.45<192.1.2.45>---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient7": 192.1.2.45<192.1.2.45>---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient8": 192.1.2.45<192.1.2.45>...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 000 "orient9": 192.1.2.45---192.1.2.254...8.8.8.8<8.8.8.8>; unrouted; eroute owner: #0 west # echo "initdone" initdone west # ipsec auto --up westnet-all 002 "westnet-all" #1: initiating Main Mode 104 "westnet-all" #1: STATE_MAIN_I1: initiate 003 "westnet-all" #1: received Vendor ID payload [Dead Peer Detection] 003 "westnet-all" #1: received Vendor ID payload [FRAGMENTATION] 003 "westnet-all" #1: received Vendor ID payload [RFC 3947] 002 "westnet-all" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) 106 "westnet-all" #1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "westnet-all" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected 108 "westnet-all" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "westnet-all" #1: received Vendor ID payload [CAN-IKEv2] 002 "westnet-all" #1: Main mode peer ID is ID_FQDN: '@east' 004 "westnet-all" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=aes_256 integ=sha group=MODP2048} 002 "westnet-all" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW 117 "westnet-all" #2: STATE_QUICK_I1: initiate 004 "westnet-all" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=passive} west # ping -n -c 4 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. 64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms west # ip route list 0.0.0.0/1 dev ipsec0 scope link default via 192.1.2.254 dev eth1 25.1.0.0/16 via 192.0.1.254 dev eth0 25.2.0.0/16 via 192.1.2.45 dev eth1 128.0.0.0/1 dev ipsec0 scope link 169.254.0.0/16 dev eth0 scope link metric 1002 169.254.0.0/16 dev eth1 scope link metric 1003 169.254.0.0/16 dev eth2 scope link metric 1004 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 192.9.4.0/24 dev eth2 proto kernel scope link src 192.9.4.45 192.168.1.1 via 192.0.1.254 dev eth0 192.168.1.2 via 192.1.2.45 dev eth1 192.168.1.16/28 via 192.1.2.45 dev eth1 west # # testing re-orienting west # ipsec auto --replace westnet-all 002 "westnet-all": deleting connection 002 "westnet-all" #2: deleting state (STATE_QUICK_I2) 005 "westnet-all" #2: ESP traffic information: in=0B out=0B 002 "westnet-all" #1: deleting state (STATE_MAIN_I4) 002 added connection description "westnet-all" west # ipsec auto --status |grep westnet 000 "westnet-all": 192.0.1.0/24===192.1.2.45<192.1.2.45>[@west]...192.1.2.23<192.1.2.23>[@east]===0.0.0.0/0; unrouted; eroute owner: #0 000 "westnet-all": oriented; my_ip=unset; their_ip=unset 000 "westnet-all": xauth info: us:none, them:none, my_xauthuser=[any]; their_xauthuser=[any] 000 "westnet-all": modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset; 000 "westnet-all": labeled_ipsec:no, loopback:no; 000 "westnet-all": policy_label:unset; 000 "westnet-all": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0; 000 "westnet-all": sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no; 000 "westnet-all": policy: RSASIG+ENCRYPT+TUNNEL+PFS+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW; 000 "westnet-all": conn_prio: 24,0; interface: eth1; metric: 0; mtu: unset; sa_prio:auto; 000 "westnet-all": dpd: action:hold; delay:0; timeout:0; nat-t: force_encaps:no; nat_keepalive:yes; ikev1_natt:both 000 "westnet-all": newest ISAKMP SA: #0; newest IPsec SA: #0; west # echo done done west # ipsec look west NOW ipsec0->eth1 mtu=16260(9999)->1500 ROUTING TABLES default via 192.1.2.254 dev eth1 25.1.0.0/16 via 192.0.1.254 dev eth0 25.2.0.0/16 via 192.1.2.45 dev eth1 169.254.0.0/16 dev eth0 scope link metric 1002 169.254.0.0/16 dev eth1 scope link metric 1003 169.254.0.0/16 dev eth2 scope link metric 1004 192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254 192.0.2.0/24 via 192.1.2.23 dev eth1 192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45 192.9.4.0/24 dev eth2 proto kernel scope link src 192.9.4.45 192.168.1.1 via 192.0.1.254 dev eth0 192.168.1.2 via 192.1.2.45 dev eth1 192.168.1.16/28 via 192.1.2.45 dev eth1 NSS_CERTIFICATES Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI west # west # ipsec whack --shutdown 002 shutting down west # if [ -n "`ls /tmp/core* 2>/dev/null`" ]; then echo CORE FOUND; mv /tmp/core* OUTPUT/; fi west # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi