east:~# set -u east:~# route delete -net 192.0.1.0 netmask 255.255.255.0 east:~# route delete -net default east:~# route add -net default gw 192.1.2.45 east:~# named east:~# dig sunrise-oe.uml.freeswan.org a ; <<>> DiG VERSION<<>> sunrise-oe.uml.freeswan.org a ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12345 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;sunrise-oe.uml.freeswan.org. IN A ;; ANSWER SECTION: sunrise-oe.uml.freeswan.org. 604800 IN A 192.0.2.2 ;; Query time: 25 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: DATE ;; MSG SIZE rcvd: SIZE east:~# netstat -rne Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.9.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.1.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.0.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 0.0.0.0 192.1.2.45 0.0.0.0 UG 0 0 0 eth1 east:~# export IPSEC_CONFS="/tmp/etc" east:~# mkdir $IPSEC_CONFS east:~# cp -a /etc/ipsec.conf /etc/ipsec.d $IPSEC_CONFS/ east:~# cp -a /testing/baseconfigs/japan/etc/ipsec.secrets $IPSEC_CONFS/ east:~# ipsec setup start ipsec_setup: Starting Libreswan IPsec VERSION east:~# /testing/pluto/bin/wait-until-pluto-started east:~# ipsec auto --add private east:~# ipsec whack --listen 002 listening for IKE messages 002 forgetting secrets 002 loading secrets from "/tmp/etc/ipsec.secrets" 002 loading group "/tmp/etc/ipsec.d/policies/private" east:~# ipsec auto --route private east:~# east:~# : This should fail, but only because we do not know our own secret. east:~# : We use --oppohere/--oppothere so that the negotiation is logged. east:~# : Failure should come before negotiation is actually started. east:~# : No shunt eroute will be created because of using --oppohere/--oppothere. east:~# ipsec whack --oppohere 192.1.2.23 --oppothere 192.0.1.3 000 initiate on demand from 192.1.2.23:0 to 192.0.1.3:0 proto=0 state: fos_start because: whack 000 initiate on demand from 192.1.2.23:0 to 192.0.1.3:0 proto=0 state: fos_our_txt because: our TXT record 000 initiate on demand from 192.1.2.23:0 to 192.0.1.3:0 proto=0 state: fos_our_key because: our KEY record 002 Can not opportunistically initiate for 192.1.2.23 to 192.0.1.3: all our KEY RRs have the wrong public key (and no good TXT RR) 033 Can not opportunistically initiate for 192.1.2.23 to 192.0.1.3: all our KEY RRs have the wrong public key (and no good TXT RR) east:~# ipsec eroute 0 0.0.0.0/0 -> 0.0.0.0/0 => %trap 0 192.1.2.23/32 -> 192.0.1.0/24 => %trap east:~# : Try again, using traffic to prompt negotiation. east:~# : This should result in a %drop east:~# ping -c 2 -n 192.0.1.3 PING 192.0.1.3 (192.0.1.3): 56 data bytes --- 192.0.1.3 ping statistics --- 2 packets transmitted, 0 packets received, 100% packet loss east:~# ipsec eroute 0 0.0.0.0/0 -> 0.0.0.0/0 => %trap 1 192.1.2.23/32 -> 192.0.1.0/24 => %trap 2 192.1.2.23/32 -> 192.0.1.3/32 => %drop east:~# : the nether world according to pluto east:~# east:~# echo end end east:~# east:~# east:~#