/testing/guestbin/swan-prep --46
road #
 cp policies/* /etc/ipsec.d/policies/
road #
 echo "2001:db8:1:2::0/64" >>  /etc/ipsec.d/policies/private-or-clear
road #
 echo "2001:db8:1:3::254/128" >> /etc/ipsec.d/policies/clear
road #
 echo "2001:db8:1:2::254/128" >> /etc/ipsec.d/policies/clear
road #
 echo "fe80::/10" >> /etc/ipsec.d/policies/clear
road #
 ipsec start
Redirecting to: [initsystem]
road #
 # ensure for tests acquires expire before our failureshunt=2m
road #
 echo 30 > /proc/sys/net/core/xfrm_acq_expires
road #
 ../../guestbin/wait-until-pluto-started
road #
 # give OE policies time to load
road #
 ../../guestbin/wait-for.sh --match 'loaded 9' -- ipsec auto --status
000 Total IPsec connections: loaded 9, active 0
road #
 ip -s xfrm monitor > /tmp/xfrm-monitor.out &
[x] PID
road #
 echo "initdone"
initdone
road #
 # bring up OE
road #
 ../../guestbin/ping-once.sh --forget 2001:db8:1:2::23
fired and forgotten
road #
 ../../guestbin/wait-for.sh --match private-or-clear -- ipsec whack --trafficstatus
006 #2: "private-or-clear#2001:db8:1:2::/64"[1] ...2001:db8:1:2::23, type=ESP, add_time=1234567890, inBytes=0, outBytes=0, maxBytes=2^63B, id='ID_NULL'
road #
 ../../guestbin/ping-once.sh --up 2001:db8:1:2::23
up
road #
 ipsec whack --trafficstatus
006 #2: "private-or-clear#2001:db8:1:2::/64"[1] ...2001:db8:1:2::23, type=ESP, add_time=1234567890, inBytes=64, outBytes=64, maxBytes=2^63B, id='ID_NULL'
road #
 # confirm we got transport mode, not tunnel mode
road #
 ip xfrm state | grep mode
	proto esp spi 0xSPISPI reqid REQID mode transport
	proto esp spi 0xSPISPI reqid REQID mode transport
	proto esp spi 0x00000000 reqid 0 mode transport
road #
 echo done
done
road #
 ../../guestbin/ipsec-look.sh
road NOW
XFRM state:
src 2001:db8:1:2::23 dst 2001:db8:1:3::209
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 0 flag esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	sel src 2001:db8:1:2::23/128 dst 2001:db8:1:3::209/128 
src 2001:db8:1:3::209 dst 2001:db8:1:2::23
	proto esp spi 0xSPISPI reqid REQID mode transport
	replay-window 0 flag esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
	sel src 2001:db8:1:3::209/128 dst 2001:db8:1:2::23/128 
src 2001:db8:1:3::209 dst 2001:db8:1:2::23
	proto esp spi 0x00000000 reqid 0 mode transport
	replay-window 0 
	sel src 2001:db8:1:3::209/128 dst 2001:db8:1:2::23/128 proto ipv6-icmp type 128 code 0 
XFRM policy:
src 2001:db8:1:2::254/128 dst 2001:db8:1:3::209/128
	dir fwd priority PRIORITY ptype main
src 2001:db8:1:2::254/128 dst 2001:db8:1:3::209/128
	dir in priority PRIORITY ptype main
src 2001:db8:1:3::209/128 dst 2001:db8:1:2::254/128
	dir out priority PRIORITY ptype main
src 2001:db8:1:3::209/128 dst 2001:db8:1:3::254/128
	dir out priority PRIORITY ptype main
src 2001:db8:1:3::254/128 dst 2001:db8:1:3::209/128
	dir fwd priority PRIORITY ptype main
src 2001:db8:1:3::254/128 dst 2001:db8:1:3::209/128
	dir in priority PRIORITY ptype main
src 2001:db8:1:3::209/128 dst fe80::/10
	dir out priority PRIORITY ptype main
src fe80::/10 dst 2001:db8:1:3::209/128
	dir fwd priority PRIORITY ptype main
src fe80::/10 dst 2001:db8:1:3::209/128
	dir in priority PRIORITY ptype main
src 2001:db8:1:2::23/128 dst 2001:db8:1:3::209/128
	dir in priority PRIORITY ptype main
	tmpl src :: dst ::
		proto esp reqid REQID mode transport
src 2001:db8:1:3::209/128 dst 2001:db8:1:2::23/128
	dir out priority PRIORITY ptype main
	tmpl src :: dst ::
		proto esp reqid REQID mode transport
src 2001:db8:1:3::209/128 dst 2001:db8:1:2::/64
	dir out priority PRIORITY ptype main
	tmpl src :: dst ::
		proto esp reqid 0 mode transport
src ::/0 dst ::/0 proto ipv6-icmp type 135
	dir fwd priority PRIORITY ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
	dir in priority PRIORITY ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
	dir out priority PRIORITY ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
	dir fwd priority PRIORITY ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
	dir in priority PRIORITY ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
	dir out priority PRIORITY ptype main
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
2001:db8:1:3::/64 dev eth0 proto kernel metric 256
fe80::/64 dev eth0 proto kernel metric 256
default via 2001:db8:1:3::254 dev eth0
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
road #
 
