/testing/guestbin/swan-prep
road #
 cp policies/* /etc/ipsec.d/policies/
road #
 echo "192.1.2.0/24"  >> /etc/ipsec.d/policies/private-or-clear
road #
 ipsec start
Redirecting to: [initsystem]
road #
 /testing/pluto/bin/wait-until-pluto-started
road #
 ipsec auto --add authenticated
002 added connection description "authenticated"
road #
 # ensure for tests acquires expire before our failureshunt=2m
road #
 echo 30 > /proc/sys/net/core/xfrm_acq_expires
road #
 # give OE policies time to load
road #
 sleep 5
road #
 echo "initdone"
initdone
road #
 # setup authenticated static conn
road #
 ipsec auto --up authenticated
1v2 "authenticated" #1: initiating IKEv2 IKE SA
1v2 "authenticated" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
1v2 "authenticated" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
002 "authenticated" #2: IKEv2 mode peer ID is ID_FQDN: '@east'
003 "authenticated" #2: Authenticated using authby=secret
002 "authenticated" #2: negotiated connection [192.1.3.209-192.1.3.209:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
004 "authenticated" #2: STATE_V2_IPSEC_I: IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE NATOA=none NATD=none DPD=passive}
road #
 # should show established tunnel and no bare shunts
road #
 ipsec whack --trafficstatus
006 #2: "authenticated", type=ESP, add_time=1234567890, inBytes=0, outBytes=0, id='@east'
road #
 ipsec whack --shuntstatus
000 Bare Shunt list:
000  
road #
 ../../pluto/bin/ipsec-look.sh
road NOW
XFRM state:
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
XFRM policy:
src 192.1.2.23/32 dst 192.1.3.209/32
	dir fwd priority 2080702 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
	dir in priority 2080702 ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 2080702 ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.1.2.253/32 dst 192.1.3.209/32
	dir fwd priority 3129279 ptype main
src 192.1.2.253/32 dst 192.1.3.209/32
	dir in priority 3129279 ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir fwd priority 3129279 ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir in priority 3129279 ptype main
src 192.1.3.209/32 dst 192.1.2.253/32
	dir out priority 3129279 ptype main
src 192.1.3.209/32 dst 192.1.2.254/32
	dir out priority 3129279 ptype main
src 192.1.3.209/32 dst 192.1.3.253/32
	dir out priority 3129279 ptype main
src 192.1.3.209/32 dst 192.1.3.254/32
	dir out priority 3129279 ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir fwd priority 3129279 ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir in priority 3129279 ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir fwd priority 3129279 ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir in priority 3129279 ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority 4177870 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
road #
 # ping should succeed through tunnel
road #
 ping -n -c 2 -I 192.1.3.209 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.209 : 56(84) bytes of data.
64 bytes from 192.1.2.23: icmp_seq=1 ttl=64 time=0.XXX ms
64 bytes from 192.1.2.23: icmp_seq=2 ttl=64 time=0.XXX ms
--- 192.1.2.23 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
road #
 ipsec whack --trafficstatus
006 #2: "authenticated", type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='@east'
road #
 ipsec whack --impair send-no-delete
road #
 ipsec auto --delete authenticated
002 "authenticated": terminating SAs using this connection
002 "authenticated" #2: deleting state (STATE_V2_IPSEC_I) and NOT sending notification
005 "authenticated" #2: ESP traffic information: in=168B out=168B
002 "authenticated" #1: deleting state (STATE_PARENT_I3) and NOT sending notification
road #
 sleep 5
road #
 # the ping triggers an OE authnull attempt. It should fail because
road #
 # east should not replace an authenticated conn with an authnull conn
road #
 ping -n -c 2 -I 192.1.3.209 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.209 : 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time XXXX
road #
 # There should NOT be an IPsec SA, and a partial OE attempt going?
road #
 sleep 5
road #
 ipsec status |grep STATE_
000 #3: "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23:500 STATE_PARENT_I2 (sent v2I2, expected v2R2); EVENT_SA_REPLACE in XXs; idle;
road #
 ipsec whack --trafficstatus
road #
 ipsec whack --shuntstatus
000 Bare Shunt list:
000  
road #
 echo done
done
road #
 # only east should show 1 tunnel
road #
 ipsec whack --trafficstatus
road #
 # east shows the authnull is matched on preferred non-null connection,
road #
 # then cannot find a (non-authnull) match and rejects it. So an
road #
 # additional 'authenticated' partial state lingers
road #
 ipsec status | grep STATE_
000 #3: "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23:500 STATE_PARENT_I2 (sent v2I2, expected v2R2); EVENT_SA_REPLACE in XXs; idle;
road #
 ../bin/check-for-core.sh
road #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

