/testing/guestbin/swan-prep
north #
 # confirm that the network is alive
north #
 ping -n -c 4 192.0.2.254
PING 192.0.2.254 (192.0.2.254) 56(84) bytes of data.
--- 192.0.2.254 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time XXXX
north #
 # make sure that clear text does not get through
north #
 iptables -A INPUT -i eth1 -s 192.1.2.23 -p tcp --sport 3 -j REJECT
north #
 iptables -A OUTPUT -o eth1 -d 192.1.2.23 -p tcp --dport 3 -j REJECT
north #
 ipsec setup start
[ 00.00] registered KLIPS /proc/sys/net
[ 00.00] ipsec_3des_init(alg_type=15 alg_id=3 name=3des): ret=0
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=12 name=cbc(aes) keyminbits=128 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=253 name=cbc(twofish) keyminbits=128 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=252 name=cbc(serpent) keyminbits=128 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=6 name=cbc(cast5) keyminbits=128 keymaxbits=128, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=15 alg_id=3 name=cbc(des3_ede) keyminbits=192 keymaxbits=192, found(0)
[ 00.00] KLIPS: lookup for ciphername=cipher_null: not found
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=2 name=hmac(md5) ctx_size=88 keyminbits=128 keymaxbits=128, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=3 name=hmac(sha1) ctx_size=88 keyminbits=160 keymaxbits=160, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=5 name=hmac(sha256) ctx_size=88 keyminbits=256 keymaxbits=256, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=6 name=hmac(sha384) ctx_size=88 keyminbits=384 keymaxbits=384, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=7 name=hmac(sha512) ctx_size=88 keyminbits=512 keymaxbits=512, found(0)
[ 00.00] KLIPS cryptoapi interface: alg_type=14 alg_id=252 name=hmac(sha256) ctx_size=88 keyminbits=256 keymaxbits=256, found(0)
[ 00.00] 
Redirecting to: systemctl start ipsec.service
[ 00.00] 
north #
 /testing/pluto/bin/wait-until-pluto-started
north #
 ipsec auto --add north-east-port3
002 added connection description "north-east-port3"
north #
 ipsec auto --add north-east-pass
002 added connection description "north-east-pass"
north #
 echo done
done
north #
 ipsec auto --route north-east-pass
north #
 ipsec auto --up  north-east-port3
002 "north-east-port3" #1: initiating Main Mode
104 "north-east-port3" #1: STATE_MAIN_I1: initiate
003 "north-east-port3" #1: received Vendor ID payload [Dead Peer Detection]
003 "north-east-port3" #1: received Vendor ID payload [FRAGMENTATION]
003 "north-east-port3" #1: received Vendor ID payload [RFC 3947]
002 "north-east-port3" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
106 "north-east-port3" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "north-east-port3" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT
108 "north-east-port3" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "north-east-port3" #1: received Vendor ID payload [CAN-IKEv2]
002 "north-east-port3" #1: Main mode peer ID is ID_FQDN: '@east'
004 "north-east-port3" #1: STATE_MAIN_I4: ISAKMP SA established {auth=RSA_SIG cipher=aes_256 integ=sha group=MODP2048}
002 "north-east-port3" #2: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW
117 "north-east-port3" #2: STATE_QUICK_I1: initiate
004 "north-east-port3" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0xESPESP <0xESPESP xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=192.1.2.23:4500 DPD=passive}
north #
 echo test | nc 192.1.2.23 2
north #
 echo test | nc 192.1.2.23 3
north #
 echo done
done
north #
north #
 if [ -n "`ls /tmp/core* 2>/dev/null`" ]; then echo CORE FOUND; mv /tmp/core* OUTPUT/; fi
north #
 if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi

