/testing/guestbin/swan-prep
west #
 ipsec setup start
[ 00.00] registered KLIPS /proc/sys/net
[ 00.00] ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=12 name=cbc(aes) keyminbits=128 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=253 name=cbc(twofish) keyminbits=128 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=252 name=cbc(serpent) keyminbits=128 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=6 name=cbc(cast5) keyminbits=128 keymaxbits=128, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=3 name=cbc(des3_ede) keyminbits=192 keymaxbits=192, found(0)
[ 00.00] KLIPS: lookup for ciphername=cipher_null: not found
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=2 name=hmac(md5) ctx_size=88 keyminbits=128 keymaxbits=128, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=3 name=hmac(sha1) ctx_size=88 keyminbits=160 keymaxbits=160, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=5 name=hmac(sha256) ctx_size=88 keyminbits=256 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=6 name=hmac(sha384) ctx_size=88 keyminbits=384 keymaxbits=384, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=7 name=hmac(sha512) ctx_size=88 keyminbits=512 keymaxbits=512, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=252 name=hmac(sha256) ctx_size=88 keyminbits=256 keymaxbits=256, found(0)
[ 00.00] 
Redirecting to: systemctl start ipsec.service
[ 00.00] 
west #
 /testing/pluto/bin/wait-until-pluto-started
west #
 ipsec auto --add west-east
002 added connection description "west-east"
west #
 echo "initdone"
initdone
west #
 # we can transmit in the clear
west #
 ping -q -c 4 -n 192.1.2.23
PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 # bring up the tunnel
west #
 ipsec auto --up west-east
003 "west-east": IKEv1 Aggressive Mode with PSK is vulnerable to dictionary attacks and is cracked on large scale by TLA's
003 "west-east" #1: multiple DH groups in aggressive mode can cause interop failure
003 "west-east" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
003 "west-east" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 0) ignored.
002 "west-east" #1: initiating Aggressive Mode #1, connection "west-east"
003 "west-east" #1: multiple DH groups in aggressive mode can cause interop failure
003 "west-east" #1: Deleting previous proposal in the hopes of selecting DH 2 or DH 5
003 "west-east" #1: transform (OAKLEY_AES_CBC,OAKLEY_SHA1,OAKLEY_GROUP_MODP1024 keylen 0) ignored.
112 "west-east" #1: STATE_AGGR_I1: initiate
003 "west-east" #1: received Vendor ID payload [Dead Peer Detection]
003 "west-east" #1: received Vendor ID payload [RFC 3947]
002 "west-east" #1: Aggressive mode peer ID is ID_FQDN: '@east'
002 "west-east" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
003 "west-east" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
004 "west-east" #1: STATE_AGGR_I2: sent AI2, ISAKMP SA established {auth=RSA_SIG cipher=aes_128 integ=sha group=MODP1536}
002 "west-east" #1: Dead Peer Detection (RFC 3706): enabled
002 "west-east" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP+AGGRESSIVE+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
117 "west-east" #2: STATE_QUICK_I1: initiate
002 "west-east" #2: Dead Peer Detection (RFC 3706): enabled
004 "west-east" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xESPESP <0xESPESP xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=active}
west #
 # use the tunnel
west #
 ping -q -c 4 -n 192.1.2.23
PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 # show the tunnel!
west #
 echo "Tunnel should be up"
Tunnel should be up
west #
 ipsec eroute
8          192.1.2.45/32      -> 192.1.2.23/32      => tun0x1000@192.1.2.23
west #
 # Let R_U_THERE packets flow
west #
 echo "Waiting 15 seconds..."
Waiting 15 seconds...
west #
 sleep 15
west #
 echo "Setting up block via iptables"
Setting up block via iptables
west #
 iptables -I INPUT -s 192.1.2.23/32 -d 0/0 -j DROP
west #
 iptables -I OUTPUT -d 192.1.2.23/32 -s 0/0 -j DROP
west #
west #
 # DPD should have triggered now
west #
 echo "Tunnel should be down (%trap/%hold)"
Tunnel should be down (%trap/%hold)
west #
 ipsec eroute
0          192.1.2.45/32      -> 192.1.2.23/32      => %trap
west #
 # Remove the Blockage
west #
 echo "Removing block"
Removing block
west #
 iptables -D INPUT -s 192.1.2.23/32 -d 0/0 -j DROP
west #
 iptables -D OUTPUT -d 192.1.2.23/32 -s 0/0 -j DROP
west #
 ping -q -c 4 -n 192.1.2.23
PING 192.1.2.23 (192.1.2.23) 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
4 packets transmitted, 2 received, 50% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
west #
 # Tunnel should be back up now
west #
 echo "Tunnel should be up"
Tunnel should be up
west #
 ipsec eroute
4          192.1.2.45/32      -> 192.1.2.23/32      => tun0x1002@192.1.2.23
west #
 echo end
end
west #
 # no tunnels left, Ma!
west #
west #
 if [ -n "`ls /tmp/core* 2>/dev/null`" ]; then echo CORE FOUND; mv /tmp/core* OUTPUT/; fi
west #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

