/testing/guestbin/swan-prep --userland strongswan
west #
 # confirm that the network is alive
west #
 ../../guestbin/wait-until-alive -I 192.0.1.254 192.0.2.254
destination -I 192.0.1.254 192.0.2.254 is alive
west #
 # ensure that clear text does not get through
west #
 iptables -A INPUT -i eth1 -s 192.0.2.0/24 -j DROP
west #
 iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
west #
 # confirm clear text does not get through
west #
 ../../guestbin/ping-once.sh --down -I 192.0.1.254 192.0.2.254
down
west #
 ../../guestbin/strongswan-start.sh
west #
 echo "initdone"
initdone
west #
 strongswan up westnet-eastnet-ikev2
initiating IKE_SA westnet-eastnet-ikev2[1] to 192.1.2.23
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 192.1.2.45[500] to 192.1.2.23[500] (XXX bytes)
received packet: from 192.1.2.23[500] to 192.1.2.45[500] (XXX bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) N(CHDLESS_SUP) ]
selected proposal: IKE:AES_GCM_16_256/PRF_HMAC_SHA2_512/ECP_256
authentication of 'west' (myself) with pre-shared key
establishing CHILD_SA westnet-eastnet-ikev2{1}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(IPCOMP_SUP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 192.1.2.45[4500] to 192.1.2.23[4500] (XXX bytes)
received packet: from 192.1.2.23[4500] to 192.1.2.45[4500] (XXX bytes)
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(IPCOMP_SUP) ]
authentication of 'east' with pre-shared key successful
IKE_SA westnet-eastnet-ikev2[1] established between 192.1.2.45[west]...192.1.2.23[east]
scheduling reauthentication in XXXs
maximum IKE_SA lifetime XXXs
selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
CHILD_SA westnet-eastnet-ikev2{1} established with SPIs SPISPI_i SPISPI_o and TS 192.0.1.0/24 === 192.0.2.0/24
connection 'westnet-eastnet-ikev2' established successfully
west #
 # First ping is regular ESP since ping is too small to compress.  This
west #
 # oddly shows up as 0 packets and 4 packets on ipcomp.
west #
 ../../guestbin/ping-once.sh --up --small -I 192.0.1.254 192.0.2.254
up
west #
 ip -o -s xfrm state|grep "proto comp" | sed "s/^\(.*\)\(lifetime current:.*\)\(add .*$\)/\2/"
lifetime current:\	  40(bytes), 1(packets)\	  
lifetime current:\	  0(bytes), 0(packets)\	  
west #
 # Finally, a packet that is both larger than the MTU and compression
west #
 # friendly.  This then shows up as 4 packets and 8 packets on ipcomp.
west #
 ../../guestbin/ping-once.sh --up --large -I 192.0.1.254 192.0.2.254
up
west #
 ip -o -s xfrm state|grep "proto comp" | sed "s/^\(.*\)\(lifetime current:.*\)\(add .*$\)/\2/"
lifetime current:\	  8068(bytes), 2(packets)\	  
lifetime current:\	  8028(bytes), 1(packets)\	  
west #
 # mangled traffic status
west #
 ipsec whack --trafficstatus | sed -e 's/Bytes=\([0-9]\)[0-9][0-9],/Bytes=\1nn,/g'
ERROR: ipsec whack: Pluto is not running (no "/run/pluto/pluto.ctl"): No such file or directory (errno 2)
west #
 if [ -f /var/run/pluto/pluto.pid ]; then ipsec _kernel state ; fi
west #
 if [ -f /var/run/pluto/pluto.pid ]; then ipsec _kernel policy ; fi
west #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then strongswan status ; fi
Shunted Connections:
Bypass LAN 192.0.1.0/24:  192.0.1.0/24 === 192.0.1.0/24 PASS
Bypass LAN 192.1.2.0/24:  192.1.2.0/24 === 192.1.2.0/24 PASS
Security Associations (1 up, 0 connecting):
westnet-eastnet-ikev2[1]: ESTABLISHED XXX second ago, 192.1.2.45[west]...192.1.2.23[east]
westnet-eastnet-ikev2{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: SPISPI_i SPISPI_o, IPCOMP CPIs: CPI_i CPI_o
westnet-eastnet-ikev2{1}:   192.0.1.0/24 === 192.0.2.0/24
west #
 ipsec _kernel state
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 0 
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 192.1.2.45 dst 192.1.2.23
	proto comp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag noecn nopmtudisc af-unspec
	comp deflate 
	lastused YYYY-MM-DD HH:MM:SS
src 192.1.2.45 dst 192.1.2.23
	proto 4 spi 0xSPISPI reqid 0 mode tunnel
	replay-window 0 flag noecn nopmtudisc af-unspec
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 32 
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	lastused YYYY-MM-DD HH:MM:SS
	sel src 0.0.0.0/0 dst 0.0.0.0/0 
src 192.1.2.23 dst 192.1.2.45
	proto comp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag noecn nopmtudisc af-unspec
	comp deflate 
	lastused YYYY-MM-DD HH:MM:SS
src 192.1.2.23 dst 192.1.2.45
	proto 4 spi 0xSPISPI reqid 0 mode tunnel
	replay-window 0 flag noecn nopmtudisc af-unspec
	lastused YYYY-MM-DD HH:MM:SS
west #
 ipsec _kernel policy
src 192.0.1.0/24 dst 192.0.1.0/24
	dir fwd priority PRIORITY ptype main
src 192.0.1.0/24 dst 192.0.1.0/24
	dir in priority PRIORITY ptype main
src 192.0.1.0/24 dst 192.0.1.0/24
	dir out priority PRIORITY ptype main
src 192.1.2.0/24 dst 192.1.2.0/24
	dir fwd priority PRIORITY ptype main
src 192.1.2.0/24 dst 192.1.2.0/24
	dir in priority PRIORITY ptype main
src 192.1.2.0/24 dst 192.1.2.0/24
	dir out priority PRIORITY ptype main
src 192.0.1.0/24 dst 192.0.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto comp spi 0xSPISPI reqid REQID mode tunnel
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp spi 0xSPISPI reqid REQID mode transport
src 192.0.2.0/24 dst 192.0.1.0/24
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto comp reqid REQID mode tunnel
		level use
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 192.0.2.0/24 dst 192.0.1.0/24
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto comp reqid REQID mode tunnel
		level use
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
west #
