/testing/guestbin/swan-prep
west #
 echo 3 > /proc/sys/net/core/xfrm_acq_expires
west #
 # install selinux; generated in OUTPUT by east
west #
 semodule -i OUTPUT/ipsecspd-full-perm.pp
west #
 # start pluto
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add labeled
002 "labeled": added IKEv2 connection
west #
 echo "initdone"
initdone
west #
 # Establish a childless IKE SA which will install the policy ready for
west #
 # an acquire.
west #
 ipsec auto --up labeled
1v2 "labeled" #1: initiating IKEv2 connection
1v2 "labeled" #1: sent IKE_SA_INIT request to 192.1.2.23:500
002 "labeled" #1: omitting CHILD SA payloads
1v2 "labeled" #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "labeled" #1: initiator established IKE SA; authenticated peer '2nnn-bit RSASSA-PSS with SHA2_512' digital signature using preloaded certificate '@east'
west #
 ../../guestbin/ipsec-look.sh
west NOW
XFRM state:
XFRM policy:
src 192.1.2.23/32 dst 192.1.2.45/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 192.1.2.45/32 dst 192.1.2.23/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west #
 # Initiate a rekey of the IKE SA but drop the initial CREATE_CHILD_SA
west #
 # request.  This will cause the exchange to become stuck; the
west #
 # retransmit, scheduled for 10s, will unstick it.
west #
 ipsec whack --impair drop-outgoing:1
002 IMPAIR: will drop outgoing message 1
west #
 ipsec whack --asynchronous --impair event-v2-rekey:1
000 "labeled" #1: deleting existing REKEY event
000 "labeled" #1: calling REKEY event handler
west #
 ../../guestbin/wait-for.sh --match REKEY_IKE_I1 -- ipsec whack --showstates
000 #2: "labeled":500 STATE_V2_REKEY_IKE_I1 (sent CREATE_CHILD_SA request to rekey IKE SA); idle;
west #
 # Trigger traffic using the predefined ping_t context.  Because the
west #
 # rekey SA is stuck it will start on the old #1 IKE SA's queue and
west #
 # then migrated to the new SA queue when things resume.
west #
 ../../guestbin/ping-once.sh --runcon "system_u:system_r:ping_t:s0:c1.c256" --forget -I 192.1.2.45 192.1.2.23
fired and forgotten
west #
 ../../guestbin/wait-for.sh --match 192.1.2.23 -- ipsec trafficstatus
006 #3: "labeled"[1] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='@east'
west #
 ../../guestbin/ping-once.sh --runcon "system_u:system_r:ping_t:s0:c1.c256" --up     -I 192.1.2.45 192.1.2.23
up
west #
 # there should be 1 tunnel in each direction
west #
 ipsec trafficstatus
006 #3: "labeled"[1] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=64, outBytes=64, maxBytes=2^63B, id='@east'
west #
 # there should be no bare shunts
west #
 ipsec shuntstatus
000 Bare Shunt list:
000  
west #
 # let larval state expire
west #
 ../../guestbin/wait-for.sh --no-match ' spi 0x00000000 ' -- ip xfrm state
west #
 echo done
done
west #
 # There should be FOUR IPsec SA states (two sets), all with same
west #
 # reqid. And there should be one set of tunnel policies using the
west #
 # configured ipsec_spd_t label, and no outgoing %trap policy
west #
 ../../guestbin/ipsec-look.sh
west NOW
XFRM state:
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 0 flag esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	sel src 192.1.2.23/32 dst 192.1.2.45/32 
	security context system_u:system_r:ping_t:s0:c1.c256 
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 0 flag esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	sel src 192.1.2.45/32 dst 192.1.2.23/32 
	security context system_u:system_r:ping_t:s0:c1.c256 
XFRM policy:
src 192.1.2.23/32 dst 192.1.2.45/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
src 192.1.2.45/32 dst 192.1.2.23/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid REQID mode transport
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
west #
 # The IKE SA should be associated with the template connection
west #
 ipsec showstates
000 #2: "labeled":500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in XXs; REPLACE in XXs; newest; idle;
000 #3: "labeled"[1] 192.1.2.23:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in XXs; REPLACE in XXs; newest; IKE SA #2; idle;
000 #3: "labeled"[1] 192.1.2.23 esp.ESPSPIi@192.1.2.23 esp.ESPSPIi@192.1.2.45 Traffic: ESPin=64B ESPout=64B ESPmax=2^63B 
west #
 
