/testing/guestbin/swan-prep --userland strongswan west # # confirm that the network is alive west # ping -n -c 4 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. 64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms west # # make sure that clear text does not get through west # iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP west # iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT west # # confirm with a ping west # ping -n -c 4 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. [ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=1 [ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=2 [ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=3 [ 00.00] IN=eth1 OUT= MAC=12:00:00:64:64:45:12:00:00:64:64:23:08:00 SRC=192.0.2.254 DST=192.0.1.254 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=000 PROTO=ICMP TYPE=0 CODE=0 ID=000 SEQ=4 --- 192.0.2.254 ping statistics --- 4 packets transmitted, 0 received, 100% packet loss, time XXXX west # strongswan starter --debug-all Starting strongSwan X.X.X IPsec [starter]... Loading config setup Loading conn 'westnet-eastnet-ikev1' left=192.1.2.45 leftid=@west right=192.1.2.23 rightid=@east rightsubnet=192.0.2.0/24 leftsubnet=192.0.1.0/24 authby=secret keyexchange=ikev1 auto=add ah=sha256-modp1536 found netkey IPsec stack west # echo "initdone" initdone west # strongswan up westnet-eastnet-ikev1 initiating Main Mode IKE_SA westnet-eastnet-ikev1[1] to 192.1.2.23 generating ID_PROT request 0 [ SA V V V V ] sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes) received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes) parsed ID_PROT response 0 [ SA V V V ] received DPD vendor ID received unknown vendor ID: LIBRESWAN received NAT-T (RFC 3947) vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes) received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes) parsed ID_PROT response 0 [ KE No NAT-D NAT-D ] generating ID_PROT request 0 [ ID HASH ] sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes) received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes) parsed ID_PROT response 0 [ ID HASH ] IKE_SA westnet-eastnet-ikev1[1] established between 192.1.2.45[west]...192.1.2.23[east] scheduling reauthentication in XXXs maximum IKE_SA lifetime XXXs generating QUICK_MODE request 0123456789[ HASH SA No KE ID ID ] sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes) received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes) parsed QUICK_MODE response 0123456789[ HASH SA No KE ID ID ] connection 'westnet-eastnet-ikev1' established successfully west # ping -n -c 4 -I 192.0.1.254 192.0.2.254 PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data. 64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms 64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms --- 192.0.2.254 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time XXXX rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms west # # cannot use ipsec look for strongswan west # ip xfrm state src 192.1.2.45 dst 192.1.2.23 proto ah spi 0xSPISPI reqid 1 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha256) 0xKEY 128 src 192.1.2.23 dst 192.1.2.45 proto ah spi 0xSPISPI reqid 1 mode tunnel replay-window 32 flag af-unspec auth-trunc hmac(sha256) 0xKEY 128 west # ip xfrm pol src 192.0.2.0/24 dst 192.0.1.0/24 dir fwd priority 1859 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto ah reqid 1 mode tunnel src 192.0.2.0/24 dst 192.0.1.0/24 dir in priority 1859 ptype main tmpl src 192.1.2.23 dst 192.1.2.45 proto ah reqid 1 mode tunnel src 192.0.1.0/24 dst 192.0.2.0/24 dir out priority 1859 ptype main tmpl src 192.1.2.45 dst 192.1.2.23 proto ah reqid 1 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main west # echo done done west # if [ -f /var/run/pluto/pluto.pid ]; then ipsec look ; fi west # if [ -f /var/run/charon.pid ]; then strongswan status ; fi Security Associations (1 up, 0 connecting): westnet-eastnet-ikev1[1]: ESTABLISHED XXX seconds ago, 192.1.2.45[west]...192.1.2.23[east] westnet-eastnet-ikev1{1}: INSTALLED, TUNNEL, AH SPIs: SPISPI_i SPISPI_o westnet-eastnet-ikev1{1}: 192.0.1.0/24 === 192.0.2.0/24 west # west # if [ -n "`ls /tmp/core* 2>/dev/null`" ]; then echo CORE FOUND; mv /tmp/core* OUTPUT/; fi west # if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi