/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add west
"west": added IKEv2 connection
west #
 # confirm max packets for IPsec SA is set
west #
 ipsec status |grep ipsec_max_packets
"west":   ike_life: 28800s; ipsec_life: 28800s; ipsec_max_bytes: 2^63B; ipsec_max_packets: 20; replay_window: 128; rekey_margin: 540s; rekey_fuzz: 100%;
west #
 echo "initdone"
initdone
west #
 ipsec auto --up west
"west" #1: initiating IKEv2 connection to 192.1.2.23 using UDP
"west" #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"west" #1: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=DH19}, initiating IKE_AUTH
"west" #1: sent IKE_AUTH request to 192.1.2.23:UDP/500 with shared-key-mac and FQDN '@west'; Child SA #2 {ESP <0xESPESP}
"west" #1: initiator established IKE SA; authenticated peer using authby=secret and FQDN '@east'
"west" #2: initiator established Child SA using #1; IPsec tunnel [192.0.1.0/24===192.0.2.0/24] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE DPD=passive}
west #
 # find out the actual number of packets
west #
 actual=$(sed -n -e 's/.* ipsec-max-packets.* actual-limit=\([0-9]*\).*/\1/ p' /tmp/pluto.log | head -1)
west #
 echo $actual
5
west #
 # First take the SA up-to, but not over, the limit by spraying the
west #
 # peer with ping packets.
west #
 #
west #
 # Second, slowly drip packets into the SA until the trafficstatus for
west #
 # the state disappears indicating a replace/rekey.
west #
 spray() { local n=0 ; while test $n -lt $1 ; do  n=$((n + 1)) ; ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254 ; done ; }
west #
 drip() { while ipsec trafficstatus | grep -e "$1" ; do ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254 ; sleep 5 ; done ; }
west #
 # once; add one for compression
west #
 spray $((actual / 84 + 1))
up
west #
 drip '#2'
#2: "west", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='@east'
up
#2: "west", type=ESP, add_time=1234567890, inBytes=168, outBytes=168, maxBytes=2^63B, id='@east'
up
#2: "west", type=ESP, add_time=1234567890, inBytes=252, outBytes=252, maxBytes=2^63B, id='@east'
up
#2: "west", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, maxBytes=2^63B, id='@east'
up
#2: "west", type=ESP, add_time=1234567890, inBytes=420, outBytes=420, maxBytes=2^63B, id='@east'
up
west #
 # twice; add one for compression
west #
 spray $((actual / 84 + 1))
up
west #
 drip '#3'
#3: "west", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='@east'
up
#3: "west", type=ESP, add_time=1234567890, inBytes=168, outBytes=168, maxBytes=2^63B, id='@east'
up
#3: "west", type=ESP, add_time=1234567890, inBytes=252, outBytes=252, maxBytes=2^63B, id='@east'
up
#3: "west", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, maxBytes=2^63B, id='@east'
up
#3: "west", type=ESP, add_time=1234567890, inBytes=420, outBytes=420, maxBytes=2^63B, id='@east'
up
west #
 # thrice; add one for compression
west #
 spray $((actual / 84 + 1))
up
west #
 drip '#4'
#4: "west", type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='@east'
up
#4: "west", type=ESP, add_time=1234567890, inBytes=168, outBytes=168, maxBytes=2^63B, id='@east'
up
#4: "west", type=ESP, add_time=1234567890, inBytes=252, outBytes=252, maxBytes=2^63B, id='@east'
up
#4: "west", type=ESP, add_time=1234567890, inBytes=336, outBytes=336, maxBytes=2^63B, id='@east'
up
#4: "west", type=ESP, add_time=1234567890, inBytes=420, outBytes=420, maxBytes=2^63B, id='@east'
up
west #
 ipsec _kernel state
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 0, bitmap-length 0
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
west #
 ipsec _kernel policy
src 192.0.1.0/24 dst 192.0.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
west #
