/testing/guestbin/swan-prep
road #
 echo 3 > /proc/sys/net/core/xfrm_acq_expires
road #
 # install selinux; generated in OUTPUT by east
road #
 semodule -i OUTPUT/ipsecspd.pp
road #
 ipsec start
Redirecting to: [initsystem]
road #
 ../../guestbin/wait-until-pluto-started
road #
 ipsec auto --add labeled
002 "labeled": added IKEv2 connection
road #
 echo "initdone"
initdone
road #
 # for port re-use in tests with protoport selectors
road #
 echo 1 >/proc/sys/net/ipv4/tcp_tw_reuse
road #
 # route; should be two policies
road #
 ipsec auto --route labeled
road #
 ../../guestbin/ipsec-look.sh
road NOW
XFRM state:
XFRM policy:
src 192.0.2.0/24 dst 192.0.2.219/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.2.219/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.2.219/32 dst 192.0.2.0/24
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority PRIORITY ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.0.2.0/24 via 192.1.3.254 dev eth0 src 192.0.2.219
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
road #
 # trigger traffic
road #
 echo "quit" | runcon -t netutils_t timeout 15 nc  -p 4301 -vv 192.0.2.254 4300 2>&1 | sed -e 's/received in .*$/received .../' -e 's/Version .*/Version .../'
Ncat: Version ...
NCAT DEBUG: Using system default trusted CA certificates and those in PATH/share/ncat/ca-bundle.crt.
NCAT DEBUG: Unable to load trusted CA certificates from PATH/share/ncat/ca-bundle.crt: error:02001002:system library:fopen:No such file or directory
libnsock nsock_iod_new2(): nsock_iod_new (IOD #1)
libnsock nsock_connect_tcp(): TCP connection requested to 192.0.2.254:4300 (IOD #1) EID 8
libnsock mksock_bind_addr(): Binding to 0.0.0.0:4301 (IOD #1)
libnsock nsock_trace_handler_callback(): Callback: CONNECT SUCCESS for EID 8 [192.0.2.254:4300]
Ncat: Connected to 192.0.2.254:4300.
libnsock nsock_iod_new2(): nsock_iod_new (IOD #2)
libnsock nsock_read(): Read request from IOD #1 [192.0.2.254:4300] (timeout: -1ms) EID 18
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 26
libnsock nsock_trace_handler_callback(): Callback: READ SUCCESS for EID 26 [peer unspecified] (5 bytes): quit.
libnsock nsock_write(): Write request for 5 bytes to IOD #1 EID 35 [192.0.2.254:4300]
libnsock nsock_trace_handler_callback(): Callback: WRITE SUCCESS for EID 35 [192.0.2.254:4300]
libnsock nsock_readbytes(): Read request for 0 bytes from IOD #2 [peer unspecified] EID 42
libnsock nsock_trace_handler_callback(): Callback: READ EOF for EID 42 [peer unspecified]
libnsock nsock_trace_handler_callback(): Callback: READ EOF for EID 18 [192.0.2.254:4300]
Ncat: 5 bytes sent, 0 bytes received ...
libnsock nsock_iod_delete(): nsock_iod_delete (IOD #1)
libnsock nsock_iod_delete(): nsock_iod_delete (IOD #2)
road #
 # there should be 2 tunnels - both inactive in one direction
road #
 ipsec trafficstatus
006 #2: "labeled"[1] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=0, outBytes=273, maxBytes=2^63B, id='@east'
006 #3: "labeled"[2] 192.1.2.23, type=ESP, add_time=1234567890, inBytes=164, outBytes=0, maxBytes=2^63B, id='@east'
road #
 # there should be no bare shunts
road #
 ipsec shuntstatus
000 Bare Shunt list:
000  
road #
 # let larval state expire
road #
 ../../guestbin/wait-for.sh --no-match ' spi 0x00000000 ' -- ip xfrm state
road #
 echo done
done
road #
 # There should be FOUR IPsec SA states (two sets), all with same
road #
 # reqid. And there should be one set of tunnel policies using the
road #
 # configured ipsec_spd_t label, and no outgoing %trap policy
road #
 ../../guestbin/ipsec-look.sh
road NOW
XFRM state:
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
src 192.1.2.23 dst 192.1.3.209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 
src 192.1.3.209 dst 192.1.2.23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	security context unconfined_u:unconfined_r:netutils_t:s0-s0:c0.c1023 
XFRM policy:
src 192.0.2.0/24 dst 192.0.2.219/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir fwd priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.2.0/24 dst 192.0.2.219/32
	security context system_u:object_r:ipsec_spd_t:s0
	dir in priority PRIORITY ptype main
	tmpl src 192.1.2.23 dst 192.1.3.209
		proto esp reqid REQID mode tunnel
src 192.0.2.219/32 dst 192.0.2.0/24
	security context system_u:object_r:ipsec_spd_t:s0
	dir out priority PRIORITY ptype main
	tmpl src 192.1.3.209 dst 192.1.2.23
		proto esp reqid REQID mode tunnel
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.0.2.0/24 via 192.1.3.254 dev eth0 src 192.0.2.219
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
road #
 # The IKE SA should be associated with the template connection
road #
 ipsec showstates
000 #1: "labeled":500 STATE_V2_ESTABLISHED_IKE_SA (established IKE SA); REKEY in XXs; REPLACE in XXs; newest; idle;
000 #2: "labeled"[1] 192.1.2.23:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in XXs; REPLACE in XXs; newest; IKE SA #1; idle;
000 #2: "labeled"[1] 192.1.2.23 esp.ESPSPIi@192.1.2.23 esp.ESPSPIi@192.1.3.209 tun.0@192.1.2.23 tun.0@192.1.3.209 Traffic: ESPin=0B ESPout=273B ESPmax=2^63B 
000 #3: "labeled"[2] 192.1.2.23:500 STATE_V2_ESTABLISHED_CHILD_SA (established Child SA); REKEY in XXs; REPLACE in XXs; newest; IKE SA #1; idle;
000 #3: "labeled"[2] 192.1.2.23 esp.ESPSPIi@192.1.2.23 esp.ESPSPIi@192.1.3.209 tun.0@192.1.2.23 tun.0@192.1.3.209 Traffic: ESPin=164B ESPout=0B ESPmax=2^63B 
road #
 
