/testing/guestbin/swan-prep
east #
 # import real west+mainca
east #
 pk12util -W foobar -K '' -d sql:/etc/ipsec.d -i /testing/x509/pkcs12/mainca/west.p12
pk12util: PKCS12 IMPORT SUCCESSFUL
east #
 # delete real main CA
east #
 certutil -D -d sql:/etc/ipsec.d -n "Libreswan test CA for mainca - Libreswan"
east #
 # import fake east cert and fake main CA
east #
 pk12util -W foobar -K '' -d sql:/etc/ipsec.d -i /testing/x509/fake/pkcs12/mainca/east.p12
pk12util: PKCS12 IMPORT SUCCESSFUL
east #
 # remove main CA - so real-west cannot be verified - rely on cert=west
east #
 certutil -D -d sql:/etc/ipsec.d -n "Libreswan test CA for mainca - Libreswan"
east #
 ipsec start
Redirecting to: [initsystem]
east #
 ../../guestbin/wait-until-pluto-started
east #
 ipsec auto --add ikev2-westnet-eastnet-x509-cr
002 "ikev2-westnet-eastnet-x509-cr": added IKEv2 connection
east #
 echo "initdone"
initdone
east #
 ../../guestbin/ipsec-look.sh
east NOW
XFRM state:
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
XFRM policy:
src 192.0.1.0/24 dst 192.0.2.0/24
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.0.1.0/24 dst 192.0.2.0/24
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.1.0/24
	dir out priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth1 scope link src 192.0.2.254
192.0.2.0/24 dev eth0 proto kernel scope link src 192.0.2.254
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.23
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
east                                                         u,u,u
west                                                         u,u,u
east #
 
