/testing/guestbin/swan-prep
west #
 # install selinux; generated in OUTPUT by east
west #
 semodule -i OUTPUT/ipsecspd-full-perm.pp
west #
 setsebool domain_can_mmap_files=1
west #
 setsebool nis_enabled=1
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add labeled
002 "labeled": added IKEv1 connection
west #
 echo "initdone"
initdone
west #
 # for port re-use in tests with protoport selectors
west #
 echo 1 >/proc/sys/net/ipv4/tcp_tw_reuse
west #
 ipsec auto --up labeled
002 "labeled" #1: initiating IKEv1 Main Mode connection
1v1 "labeled" #1: sent Main Mode request
1v1 "labeled" #1: sent Main Mode I2
1v1 "labeled" #1: sent Main Mode I3
002 "labeled" #1: Peer ID is ID_FQDN: '@east'
003 "labeled" #1: authenticated peer '2nnn-bit RSA with SHA1' signature using preloaded certificate '@east'
004 "labeled" #1: IKE SA established {auth=RSA_SIG cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
002 "labeled" #2: initiating Quick Mode IKEv1+RSASIG+ENCRYPT+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES
1v1 "labeled" #2: sent Quick Mode request
004 "labeled" #2: IPsec SA established transport mode {ESP=>0xESPESP <0xESPESP xfrm=AES_CBC_128-HMAC_SHA1_96 DPD=passive}
west #
 ip xfrm state
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 0 
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	sel src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 4300 
	security context system_u:object_r:ipsec_spd_t:s0 
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 0 
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	sel src 192.1.2.45/32 dst 192.1.2.23/32 proto tcp dport 4300 
	security context system_u:object_r:ipsec_spd_t:s0 
west #
 ip xfrm policy
src 192.1.2.45/32 dst 192.1.2.23/32 proto tcp dport 4300 
	security context system_u:object_r:ipsec_spd_t:s0 
	dir out priority PRIORITY ptype main 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 4300 
	security context system_u:object_r:ipsec_spd_t:s0 
	dir in priority PRIORITY ptype main 
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket out priority 0 ptype main 
src 0.0.0.0/0 dst 0.0.0.0/0 
	socket in priority 0 ptype main 
west #
 echo "quit" | runcon -t netutils_t nc -w 50 -p 4301 -vvv 192.1.2.23 4300 2>&1 | sed "s/received in .*$/received .../"
Ncat: Version 7.91 ( https://nmap.org/ncat )
NCAT DEBUG: Using system default trusted CA certificates and those in PATH/share/ncat/ca-bundle.crt.
NCAT DEBUG: Unable to load trusted CA certificates from PATH/share/ncat/ca-bundle.crt: error:02001002:system library:fopen:No such file or directory
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock nsock_connect_tcp(): TCP connection requested to 192.1.2.23:4300 (IOD #1) EID 8
libnsock mksock_bind_addr(): Binding to 0.0.0.0:4301 (IOD #1)
libnsock nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.1.2.23:4300]
Ncat: Connected to 192.1.2.23:4300.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #2)
libnsock nsock_read(): Read request from IOD #1 [192.1.2.23:4300] (timeout: -1ms) EID 18
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 26
libnsock nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [peer unspecified] (5 bytes): quit.
libnsock nsock_write(): Write request for 5 bytes to IOD #1 EID 35 [192.1.2.23:4300]
libnsock nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [192.1.2.23:4300]
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 42
libnsock nsock_trace_handler_callback(): Callback: READ EOF for EID 42 [peer unspecified]
libnsock nsock_trace_handler_callback(): Callback: READ EOF for EID 18 [192.1.2.23:4300]
Ncat: 5 bytes sent, 0 bytes received ...
libnsock nsock_iod_delete(): nsock_iod_delete (IOD #1)
libnsock nsock_iod_delete(): nsock_iod_delete (IOD #2)
west #
 ipsec trafficstatus
006 #2: "labeled", type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='@east'
006 #3: "labeled", type=ESP, add_time=1234567890, inBytes=104, outBytes=173, maxBytes=2^63B, id='@east'
west #
 ping -n -q -c 4 -I 192.0.1.254 192.0.2.254
PING 192.0.2.254 (192.0.2.254) from 192.0.1.254 : 56(84) bytes of data.
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 # let another on-demand label establish
west #
 sleep 3
west #
 # we are expecting three tunnels now (main one with 0 byte counters)
west #
 ipsec trafficstatus
006 #2: "labeled", type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='@east'
006 #3: "labeled", type=ESP, add_time=1234567890, inBytes=104, outBytes=173, maxBytes=2^63B, id='@east'
west #
 echo done
done
west #
 ../../guestbin/ipsec-look.sh
west NOW
XFRM state:
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 0 
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	sel src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 4300 
	security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 0 
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	sel src 192.1.2.45/32 dst 192.1.2.23/32 proto tcp dport 4300 
	security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 0 
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	sel src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 4300 
	security context system_u:object_r:ipsec_spd_t:s0 
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 0 
	auth-trunc hmac(sha1) 0xHASHKEY 96
	enc cbc(aes) 0xENCKEY
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	sel src 192.1.2.45/32 dst 192.1.2.23/32 proto tcp dport 4300 
	security context system_u:object_r:ipsec_spd_t:s0 
XFRM policy:
src 192.1.2.23/32 dst 192.1.2.45/32 proto tcp sport 4300
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 192.1.2.45/32 dst 192.1.2.23/32 proto tcp dport 4300
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west #
 
