/testing/guestbin/swan-prep --46
road #
 ../../guestbin/wait-until-alive 2001:db8:0:2::254
destination 2001:db8:0:2::254 is alive
road #
 # change the default route
road #
 ip -6 route del default
road #
 ../../guestbin/ping-once.sh --down 2001:db8:0:2::254
down
road #
 # add default via link local
road #
 ip -6 route add default dev eth0 via fe80::1000:ff:fe32:64ba
road #
 ../../guestbin/ping-once.sh --up 2001:db8:0:2::254
up
road #
 ip6tables -A INPUT -i eth0 -s 2001:db8:0:2::254 -p ipv6-icmp -j DROP
road #
 ip6tables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT
road #
 ../../guestbin/ping-once.sh --down 2001:db8:0:2::254
down
road #
 ipsec start
Redirecting to: [initsystem]
road #
 ../../guestbin/wait-until-pluto-started
road #
 ip route get to 2001:db8:1:2::23
2001:db8:1:2::23 from :: via fe80::1000:ff:fe32:64ba dev eth0 src 2001:db8:1:3::209 metric 1024 pref medium
road #
 # this test need --verbose to see source address selection
road #
 ipsec auto --add --verbose road
opening file: /etc/ipsec.conf
debugging mode enabled
end of file /etc/ipsec.conf
Loading conn road
starter: left is KH_DEFAULTROUTE
loading named conns: road
resolving family=IPv6 src=<defaultroute> gateway=<defaultroute> peer 2001:db8:1:2::23
  seeking GATEWAY
    query GETROUTE+REQUEST+ROOT+MATCH
    add RTA_DST 2001:db8:1:2::23 (peer->addr)
    query returned 1180 bytes
  processing response
    parsing route entry (RTA payloads)
      RTA_TABLE=254
      RTA_DST=::1
      RTA_PRIORITY=256
      RTA_PREF=0
      using src=<unset-address> prefsrc=<unset-address> gateway=<unset-address> dst=::1 dev='lo' priority=256 pref=0 table=254 +cacheinfo
    parsing route entry (RTA payloads)
      RTA_TABLE=254
      RTA_DST=2001:db8:1:3::
      RTA_PRIORITY=256
      RTA_PREF=0
      using src=<unset-address> prefsrc=<unset-address> gateway=<unset-address> dst=2001:db8:1:3:: dev='eth0' priority=256 pref=0 table=254 +cacheinfo
    parsing route entry (RTA payloads)
      RTA_TABLE=254
      RTA_DST=fe80::
      RTA_PRIORITY=256
      RTA_PREF=0
      using src=<unset-address> prefsrc=<unset-address> gateway=<unset-address> dst=fe80:: dev='eth0' priority=256 pref=0 table=254 +cacheinfo
    parsing route entry (RTA payloads)
      RTA_TABLE=254
      RTA_PRIORITY=1024
      RTA_GATEWAY=fe80::1000:ff:fe32:64ba
      RTA_PREF=0
      using src=<unset-address> prefsrc=<unset-address> gateway=fe80::1000:ff:fe32:64ba dst=<unset-address> dev='eth0' priority=1024 pref=0 table=254 +cacheinfo
    found gateway(host_nexthop): fe80::1000:ff:fe32:64ba
  please-call-again: src=<defaultroute> gateway=fe80::1000:ff:fe32:64ba
resolving family=IPv6 src=<defaultroute> gateway=fe80::1000:ff:fe32:64ba peer 2001:db8:1:2::23
  seeking PREFSRC
    query GETROUTE+REQUEST
    add RTA_DST 2001:db8:1:2::23 (peer->addr)
    query returned 176 bytes
  processing response
    parsing route entry (RTA payloads)
      RTA_TABLE=254
      RTA_DST=2001:db8:1:2::23
      RTA_SRC=::
      RTA_PREFSRC=2001:db8:1:3::209
      RTA_PRIORITY=1024
      RTA_GATEWAY=fe80::1000:ff:fe32:64ba
      RTA_PREF=0
      using src=:: prefsrc=2001:db8:1:3::209 gateway=fe80::1000:ff:fe32:64ba dst=2001:db8:1:2::23 dev='eth0' priority=1024 pref=0 table=254 +cacheinfo
    found prefsrc(host_addr): 2001:db8:1:3::209
  success: src=2001:db8:1:3::209 gateway=fe80::1000:ff:fe32:64ba
resolving family=IPv6 src=2001:db8:1:2::23 gateway=<not-set> peer 2001:db8:1:3::209
  seeking NOTHING
conn: "road" modecfgdns=<unset>
conn: "road" modecfgdomains=<unset>
conn: "road" modecfgbanner=<unset>
conn: "road" mark=<unset>
conn: "road" mark-in=<unset>
conn: "road" mark-out=<unset>
conn: "road" vti_iface=<unset>
conn: "road" redirect-to=<unset>
conn: "road" accept-redirect-to=<unset>
conn: "road" esp=<unset>
conn: "road" ike=<unset>
002 "road": added IKEv2 connection
road #
 echo "initdone"
initdone
road #
 ipsec auto --up road
1v2 "road"[1] 2001:db8:1:2::23 #1: initiating IKEv2 connection
1v2 "road"[1] 2001:db8:1:2::23 #1: sent IKE_SA_INIT request to [2001:db8:1:2::23]:500
1v2 "road"[1] 2001:db8:1:2::23 #1: sent IKE_AUTH request {cipher=AES_GCM_16_256 integ=n/a prf=HMAC_SHA2_512 group=MODP2048}
003 "road"[1] 2001:db8:1:2::23 #1: initiator established IKE SA; authenticated peer using authby=secret and ID_FQDN '@east'
002 "road"[1] 2001:db8:1:2::23 #2: received INTERNAL_IP6_ADDRESS 2001:db8:0:3:1::
004 "road"[1] 2001:db8:1:2::23 #2: initiator established Child SA using #1; IPsec tunnel [2001:db8:0:3:1::-2001:db8:0:3:1:::0-65535 0] -> [::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff:0-65535 0] {ESP/ESN=>0xESPESP <0xESPESP xfrm=AES_GCM_16_256-NONE DPD=passive}
road #
 ping6 -n -q -w 5 -c 2 -I 2001:db8:0:3:1::0 2001:db8:0:2::254
PING 2001:db8:0:2::254(2001:db8:0:2::254) from 2001:db8:0:3:1:: : 56 data bytes
--- 2001:db8:0:2::254 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
road #
 ipsec trafficstatus
006 #2: "road"[1] 2001:db8:1:2::23, type=ESP, add_time=1234567890, inBytes=208, outBytes=208, maxBytes=2^63B, id='@east', lease=2001:db8:0:3:1::/128
road #
 ../../guestbin/ip-addr-show.sh
eth0 inet 192.1.3.209/24
eth0 inet6 2001:db8:1:3::209/64
lo inet6 2001:db8:0:3:1::/128
road #
 ip -6 route
2001:db8:0:3:1:: dev lo proto kernel metric 256 pref medium
2001:db8:1:3::/64 dev eth0 proto kernel metric 256 pref medium
2000::/3 via fe80::1000:ff:fe32:64ba dev eth0 src 2001:db8:0:3:1:: metric 1024 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
default via fe80::1000:ff:fe32:64ba dev eth0
road #
 ip route get to 2001:db8:1:2::23
2001:db8:1:2::23 from :: via fe80::1000:ff:fe32:64ba dev eth0 src 2001:db8:0:3:1:: metric 1024 pref medium
road #
 #
road #
 # addconn need a non existing --ctlsocket
road #
 # otherwise this add bring the connection down.
road #
 #
road #
 # see the source address selection when the tunnel is established
road #
 ipsec auto --add --verbose --ctlsocket /run/pluto/foo road
opening file: /etc/ipsec.conf
debugging mode enabled
end of file /etc/ipsec.conf
Loading conn road
starter: left is KH_DEFAULTROUTE
loading named conns: road
resolving family=IPv6 src=<defaultroute> gateway=<defaultroute> peer 2001:db8:1:2::23
  seeking GATEWAY
    query GETROUTE+REQUEST+ROOT+MATCH
    add RTA_DST 2001:db8:1:2::23 (peer->addr)
    query returned 1568 bytes
  processing response
    parsing route entry (RTA payloads)
      RTA_TABLE=254
      RTA_DST=::1
      RTA_PRIORITY=256
      RTA_PREF=0
      using src=<unset-address> prefsrc=<unset-address> gateway=<unset-address> dst=::1 dev='lo' priority=256 pref=0 table=254 +cacheinfo
    parsing route entry (RTA payloads)
      RTA_TABLE=254
      RTA_DST=2001:db8:0:3:1::
      RTA_PRIORITY=256
      RTA_PREF=0
      using src=<unset-address> prefsrc=<unset-address> gateway=<unset-address> dst=2001:db8:0:3:1:: dev='lo' priority=256 pref=0 table=254 +cacheinfo
    parsing route entry (RTA payloads)
      RTA_TABLE=254
      RTA_DST=2001:db8:1:3::
      RTA_PRIORITY=256
      RTA_PREF=0
      using src=<unset-address> prefsrc=<unset-address> gateway=<unset-address> dst=2001:db8:1:3:: dev='eth0' priority=256 pref=0 table=254 +cacheinfo
    parsing route entry (RTA payloads)
      RTA_TABLE=254
      RTA_DST=2000::
      RTA_PREFSRC=2001:db8:0:3:1::
      RTA_PRIORITY=1024
      RTA_GATEWAY=fe80::1000:ff:fe32:64ba
      RTA_PREF=0
      using src=<unset-address> prefsrc=2001:db8:0:3:1:: gateway=fe80::1000:ff:fe32:64ba dst=2000:: dev='eth0' priority=1024 pref=0 table=254 +cacheinfo
    parsing route entry (RTA payloads)
      RTA_TABLE=254
      RTA_DST=fe80::
      RTA_PRIORITY=256
      RTA_PREF=0
      using src=<unset-address> prefsrc=<unset-address> gateway=<unset-address> dst=fe80:: dev='eth0' priority=256 pref=0 table=254 +cacheinfo
    parsing route entry (RTA payloads)
      RTA_TABLE=254
      RTA_PRIORITY=1024
      RTA_GATEWAY=fe80::1000:ff:fe32:64ba
      RTA_PREF=0
      using src=<unset-address> prefsrc=<unset-address> gateway=fe80::1000:ff:fe32:64ba dst=<unset-address> dev='eth0' priority=1024 pref=0 table=254 +cacheinfo
    found gateway(host_nexthop): fe80::1000:ff:fe32:64ba
  please-call-again: src=<defaultroute> gateway=fe80::1000:ff:fe32:64ba
resolving family=IPv6 src=<defaultroute> gateway=fe80::1000:ff:fe32:64ba peer 2001:db8:1:2::23
  seeking PREFSRC
    query GETROUTE+REQUEST
    add RTA_DST 2001:db8:1:2::23 (peer->addr)
    query returned 196 bytes
  processing response
    parsing route entry (RTA payloads)
      RTA_TABLE=254
      RTA_DST=2001:db8:1:2::23
      RTA_SRC=::
      RTA_PREFSRC=2001:db8:0:3:1::
      RTA_PREFSRC=2001:db8:0:3:1::
      RTA_PRIORITY=1024
      RTA_GATEWAY=fe80::1000:ff:fe32:64ba
      RTA_PREF=0
      using src=:: prefsrc=2001:db8:0:3:1:: gateway=fe80::1000:ff:fe32:64ba dst=2001:db8:1:2::23 dev='eth0' priority=1024 pref=0 table=254 +cacheinfo
    found prefsrc(host_addr): 2001:db8:0:3:1::
  success: src=2001:db8:0:3:1:: gateway=fe80::1000:ff:fe32:64ba
resolving family=IPv6 src=2001:db8:1:2::23 gateway=<not-set> peer 2001:db8:0:3:1::
  seeking NOTHING
conn: "road" modecfgdns=<unset>
conn: "road" modecfgdomains=<unset>
conn: "road" modecfgbanner=<unset>
conn: "road" mark=<unset>
conn: "road" mark-in=<unset>
conn: "road" mark-out=<unset>
conn: "road" vti_iface=<unset>
conn: "road" redirect-to=<unset>
conn: "road" accept-redirect-to=<unset>
conn: "road" esp=<unset>
conn: "road" ike=<unset>
connect(pluto_ctl) failed: No such file or directory
road #
 echo done
done
road #
 if [ -f /var/run/pluto/pluto.pid ]; then ../../guestbin/ipsec-look.sh ; fi
road NOW
XFRM state:
src 2001:db8:1:2::23 dst 2001:db8:1:3::209
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
src 2001:db8:1:3::209 dst 2001:db8:1:2::23
	proto esp spi 0xSPISPI reqid REQID mode tunnel
	replay-window 0 flag af-unspec esn
	aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
	anti-replay esn context:
	 seq-hi 0x0, seq 0xXX, oseq-hi 0x0, oseq 0xXX
	 replay_window 128, bitmap-length 4
	 00000000 00000000 00000000 XXXXXXXX 
XFRM policy:
src 2001:db8:0:3:1::/128 dst ::/0
	dir out priority PRIORITY ptype main
	tmpl src 2001:db8:1:3::209 dst 2001:db8:1:2::23
		proto esp reqid REQID mode tunnel
src ::/0 dst 2001:db8:0:3:1::/128
	dir fwd priority PRIORITY ptype main
	tmpl src 2001:db8:1:2::23 dst 2001:db8:1:3::209
		proto esp reqid REQID mode tunnel
src ::/0 dst 2001:db8:0:3:1::/128
	dir in priority PRIORITY ptype main
	tmpl src 2001:db8:1:2::23 dst 2001:db8:1:3::209
		proto esp reqid REQID mode tunnel
src ::/0 dst ::/0 proto ipv6-icmp type 135
	dir fwd priority PRIORITY ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
	dir in priority PRIORITY ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 135
	dir out priority PRIORITY ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
	dir fwd priority PRIORITY ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
	dir in priority PRIORITY ptype main
src ::/0 dst ::/0 proto ipv6-icmp type 136
	dir out priority PRIORITY ptype main
XFRM done
IPSEC mangle TABLES
iptables filter TABLE
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
2001:db8:0:3:1:: dev lo proto kernel metric 256
2001:db8:1:3::/64 dev eth0 proto kernel metric 256
2000::/3 via fe80::1000:ff:fe32:64ba dev eth0 src 2001:db8:0:3:1:: metric 1024
fe80::/64 dev eth0 proto kernel metric 256
default via fe80::1000:ff:fe32:64ba dev eth0
NSS_CERTIFICATES
Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI
road #
 if [ -f /var/run/charon.pid -o -f /var/run/strongswan/charon.pid ]; then strongswan status ; fi
road #
 
