/testing/guestbin/swan-prep --userland strongswan
west #
 # confirm that the network is alive
west #
 ../../pluto/bin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j LOGDROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm clear text does not get through
west #
 ../../pluto/bin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 ../../pluto/bin/strongswan-start.sh
west #
 echo "initdone"
initdone
west #
 strongswan up westnet-eastnet-ikev1
initiating Main Mode IKE_SA westnet-eastnet-ikev1[1] to 192.1.2.23
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
parsed ID_PROT response 0 [ SA V V V ]
received FRAGMENTATION vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA westnet-eastnet-ikev1[1] established between 192.1.2.45[west]...192.1.2.23[east]
scheduling reauthentication in XXXs
maximum IKE_SA lifetime XXXs
generating QUICK_MODE request 0123456789 [ HASH SA No KE ID ID ]
sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
parsed QUICK_MODE response 0123456789 [ HASH SA No KE ID ID ]
selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ
CHILD_SA westnet-eastnet-ikev1{1} established with SPIs SPISPI_i SPISPI_o and TS 192.0.1.0/24 === 192.0.2.0/24
connection 'westnet-eastnet-ikev1' established successfully
west #
 ping -n -c 4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
64 bytes from 192.0.2.254: icmp_seq=1 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=2 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=3 ttl=64 time=0.XXX ms
64 bytes from 192.0.2.254: icmp_seq=4 ttl=64 time=0.XXX ms
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 echo done
done
west #
 if [ -f /var/run/pluto/pluto.pid ]; then ../../pluto/bin/ipsec-look.sh ; fi
west #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then strongswan status ; fi
Shunted Connections:
Bypass LAN 192.0.1.0/24:  192.0.1.0/24 === 192.0.1.0/24 PASS
Bypass LAN 192.1.2.0/24:  192.1.2.0/24 === 192.1.2.0/24 PASS
Security Associations (1 up, 0 connecting):
westnet-eastnet-ikev1[1]: ESTABLISHED XXX second ago, 192.1.2.45[west]...192.1.2.23[east]
westnet-eastnet-ikev1{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o
westnet-eastnet-ikev1{1}:   192.0.1.0/24 === 192.0.2.0/24
west #
 ../bin/check-for-core.sh
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

