/testing/guestbin/swan-prep --x509
Preparing X.509 files
west #
 echo 3 > /proc/sys/net/core/xfrm_acq_expires
west #
 # install selinux; generated in OUTPUT by east
west #
 semodule -i OUTPUT/ipsecspd-full-perm.pp
west #
 setenforce 0
west #
 # start pluto
west #
 ipsec start
Redirecting to: [initsystem]
west #
 ../../guestbin/wait-until-pluto-started
west #
 ipsec auto --add labeled
002 "labeled": added IKEv2 connection
west #
 echo "initdone"
initdone
west #
 # IKE will be triggered by acquire; expect two labels
west #
 ipsec auto --route labeled
west #
 ../../guestbin/ipsec-look.sh
west NOW
XFRM state:
XFRM policy:
src 0.0.0.0/0 dst 192.1.2.45/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
src 0.0.0.0/0 dst 192.1.2.45/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
src 192.1.2.45/32 dst 0.0.0.0/0
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
Libreswan test CA for mainca - Libreswan                     CT,, 
east                                                         P,,  
east-ec                                                      P,,  
hashsha1                                                     P,,  
nic                                                          P,,  
north                                                        P,,  
road                                                         P,,  
west                                                         u,u,u
west #
 # trigger acquire using the predefined ping_t context
west #
 ../../guestbin/ping-once.sh --runcon "system_u:system_r:ping_t:s0:c1.c256" --forget -I 192.1.2.45 192.1.2.23
fired and forgotten
west #
 ../../guestbin/wait-for.sh --match 192.1.2.23 -- ipsec trafficstatus
006 #2: "labeled"[1] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='%fromcert'
west #
 ../../guestbin/ping-once.sh --runcon "system_u:system_r:ping_t:s0:c1.c256" --up     -I 192.1.2.45 192.1.2.23
up
west #
 # there should be 1 tunnel in each direction
west #
 ipsec trafficstatus
006 #2: "labeled"[1] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=84, outBytes=84, maxBytes=2^63B, id='%fromcert'
west #
 # there should be no bare shunts
west #
 ipsec shuntstatus
000 Bare Shunt list:
000  
west #
 # let larval state expire
west #
 ../../guestbin/wait-for.sh --no-match ' spi 0x00000000 ' -- ip xfrm state
west #
 echo done
done
west #
 ../../guestbin/ipsec-look.sh
west NOW
XFRM state:
src 192.1.2.23 dst 192.1.2.45
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context system_u:system_r:ping_t:s0:c1.c256 
src 192.1.2.45 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context system_u:system_r:ping_t:s0:c1.c256 
XFRM policy:
src 0.0.0.0/0 dst 192.1.2.45/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
src 0.0.0.0/0 dst 192.1.2.45/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.2.45
		proto esp reqid REQID mode tunnel
src 192.1.2.45/32 dst 0.0.0.0/0
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority PRIORITY ptype main
	tmpl src 192.1.2.45 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.2.254 dev eth1
192.0.1.0/24 dev eth0 proto kernel scope link src 192.0.1.254
192.0.2.0/24 via 192.1.2.23 dev eth1
192.1.2.0/24 dev eth1 proto kernel scope link src 192.1.2.45
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
Libreswan test CA for mainca - Libreswan                     CT,, 
east                                                         P,,  
east-ec                                                      P,,  
hashsha1                                                     P,,  
nic                                                          P,,  
north                                                        P,,  
road                                                         P,,  
west                                                         u,u,u
west #
 
