/testing/guestbin/swan-prep
road #
 cp policies/* /etc/ipsec.d/policies/
road #
 echo "192.1.2.0/24"  >> /etc/ipsec.d/policies/private
road #
 ipsec start
Redirecting to: [initsystem]
road #
 ../../guestbin/wait-until-pluto-started
road #
 # ensure for tests acquires expire before our failureshunt=2m
road #
 echo 30 > /proc/sys/net/core/xfrm_acq_expires
road #
 # give OE policies time to load
road #
 ../../guestbin/wait-for.sh --match 'loaded 10,' -- ipsec auto --status
000 Total IPsec connections: loaded 10, active 0
road #
 ip -s xfrm monitor > /tmp/xfrm-monitor.out &
[x] PID
road #
 echo "initdone"
initdone
road #
 # trigger OE; should show bare shunt due to local failureshunt
road #
 ../../guestbin/ping-once.sh --forget -I 192.1.3.209 192.1.2.23
fired and forgotten
road #
 ../../guestbin/wait-for.sh --match oe-failed -- ipsec whack --shuntstatus
000 192.1.3.209/32 -0-> 192.1.2.23/32 => %drop 0    oe-failed
road #
 ipsec whack --trafficstatus
road #
 ../../guestbin/ipsec-look.sh
road NOW
XFRM state:
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0x00000000 reqid 0 mode transport
	replay-window 0 
	sel src 192.1.3.209/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth0 
XFRM policy:
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out action block priority 0 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.2.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
road #
 killall ip > /dev/null 2> /dev/null
road #
 cp /tmp/xfrm-monitor.out OUTPUT/road.xfrm-monitor.txt
road #
 # should fail due to both private hold and remote block policy
road #
 ../../guestbin/ping-once.sh --down -I 192.1.3.209 192.1.2.23
down
road #
 echo done
done
road #
 ../../guestbin/ipsec-look.sh
road NOW
XFRM state:
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0x00000000 reqid 0 mode transport
	replay-window 0 
	sel src 192.1.3.209/32 dst 192.1.2.23/32 proto icmp type 8 code 0 dev eth0 
XFRM policy:
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out action block priority 0 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
src 192.1.2.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.253/32
	dir out priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.3.254/32
	dir out priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.253/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir fwd priority PRIORITY ptype main
src 192.1.3.254/32 dst 192.1.3.209/32
	dir in priority PRIORITY ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
road #
 # should not show any hits
road #
 grep "^[^|].* established Child SA" /tmp/pluto.log
road #
 
