/testing/guestbin/swan-prep --nokeys
Creating empty NSS database
west #
 # confirm that the network is alive
west #
 ../../guestbin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm clear text does not get through
west #
 ../../guestbin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 echo "initdone"
initdone
west #
 ../../guestbin/libreswan-up-down.sh ah=md5 -I 192.0.1.254 192.0.2.254
"ah=md5": added IKEv2 connection
"ah=md5" #1: initiating IKEv2 connection to 192.1.2.23 using UDP
"ah=md5" #1: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"ah=md5" #1: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_CBC_128 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}, initiating IKE_AUTH
"ah=md5" #1: sent IKE_AUTH request to 192.1.2.23:UDP/500 with shared-key-mac and FQDN '@west'; Child SA #2 {AH <0xAHAH}
"ah=md5" #1: initiator established IKE SA; authenticated peer using authby=secret and FQDN '@east'
"ah=md5" #2: initiator established Child SA using #1; IPsec tunnel [192.0.1.0/24===192.0.2.0/24] {AH=>0xAHAH <0xAHAH xfrm=HMAC_MD5_96 DPD=passive}
up
"ah=md5": initiating delete of connection's IKE SA #1 (and Child SA #2)
"ah=md5" #1: sent INFORMATIONAL request to delete IKE SA
"ah=md5" #2: AH traffic information: in=84B out=84B
"ah=md5" #1: deleting IKE SA (established IKE SA)
west #
 ../../guestbin/libreswan-up-down.sh ah=sha1 -I 192.0.1.254 192.0.2.254
"ah=sha1": added IKEv2 connection
"ah=sha1" #3: initiating IKEv2 connection to 192.1.2.23 using UDP
"ah=sha1" #3: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"ah=sha1" #3: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_CBC_128 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}, initiating IKE_AUTH
"ah=sha1" #3: sent IKE_AUTH request to 192.1.2.23:UDP/500 with shared-key-mac and FQDN '@west'; Child SA #4 {AH <0xAHAH}
"ah=sha1" #3: initiator established IKE SA; authenticated peer using authby=secret and FQDN '@east'
"ah=sha1" #4: initiator established Child SA using #3; IPsec tunnel [192.0.1.0/24===192.0.2.0/24] {AH=>0xAHAH <0xAHAH xfrm=HMAC_SHA1_96 DPD=passive}
up
"ah=sha1": initiating delete of connection's IKE SA #3 (and Child SA #4)
"ah=sha1" #3: sent INFORMATIONAL request to delete IKE SA
"ah=sha1" #4: AH traffic information: in=84B out=84B
"ah=sha1" #3: deleting IKE SA (established IKE SA)
west #
 # Test rekey
west #
 ipsec auto --add ah=sha1
"ah=sha1": added IKEv2 connection
west #
 ipsec auto --up ah=sha1
"ah=sha1" #5: initiating IKEv2 connection to 192.1.2.23 using UDP
"ah=sha1" #5: sent IKE_SA_INIT request to 192.1.2.23:UDP/500
"ah=sha1" #5: processed IKE_SA_INIT response from 192.1.2.23:UDP/500 {cipher=AES_CBC_128 integ=HMAC_SHA1_96 prf=HMAC_SHA1 group=MODP2048}, initiating IKE_AUTH
"ah=sha1" #5: sent IKE_AUTH request to 192.1.2.23:UDP/500 with shared-key-mac and FQDN '@west'; Child SA #6 {AH <0xAHAH}
"ah=sha1" #5: initiator established IKE SA; authenticated peer using authby=secret and FQDN '@east'
"ah=sha1" #6: initiator established Child SA using #5; IPsec tunnel [192.0.1.0/24===192.0.2.0/24] {AH=>0xAHAH <0xAHAH xfrm=HMAC_SHA1_96 DPD=passive}
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 sleep 1
west #
 ipsec auto --up ah=sha1
"ah=sha1" #7: initiating Child SA using IKE SA #5
"ah=sha1" #7: sent CREATE_CHILD_SA request to create Child SA using IKE SA #5 {AH <0xAHAH}
"ah=sha1" #7: initiator established Child SA using #5; IPsec tunnel [192.0.1.0/24===192.0.2.0/24] {AH=>0xAHAH <0xAHAH xfrm=HMAC_SHA1_96 DPD=passive}
west #
 sleep 1
west #
 ../../guestbin/ping-once.sh --up -I 192.0.1.254 192.0.2.254
up
west #
 # since bofh AH tunnels are still there, check if they all got traffic, meaning new ones was used
west #
 # use weird spacing to avoid sanitizer
west #
 ip xfrm     s | grep anti-replay
	anti-replay esn context:
	anti-replay esn context:
west #
 echo done
done
west #
 if [ -f /var/run/pluto/pluto.pid ]; then ipsec _kernel state ; fi
src 192.1.2.45 dst 192.1.2.23
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec align4
	auth-trunc hmac(sha1) 0xHASHKEY 96
	lastused YYYY-MM-DD HH:MM:SS
src 192.1.2.23 dst 192.1.2.45
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec align4
	auth-trunc hmac(sha1) 0xHASHKEY 96
	lastused YYYY-MM-DD HH:MM:SS
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 192.1.2.45 dst 192.1.2.23
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec align4
	auth-trunc hmac(sha1) 0xHASHKEY 96
	lastused YYYY-MM-DD HH:MM:SS
src 192.1.2.23 dst 192.1.2.45
	proto ah spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec align4
	auth-trunc hmac(sha1) 0xHASHKEY 96
	lastused YYYY-MM-DD HH:MM:SS
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
west #
 if [ -f /var/run/pluto/pluto.pid ]; then ipsec _kernel policy ; fi
src 192.0.1.0/24 dst 192.0.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto ah reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto ah reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto ah reqid REQID mode tunnel
west #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then strongswan statusall ; fi
west #
