forked from libreswan/libreswan
-
Notifications
You must be signed in to change notification settings - Fork 0
/
road.console.txt
162 lines (161 loc) · 6.86 KB
/
road.console.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
/testing/guestbin/swan-prep --x509
Preparing X.509 files
road #
certutil -D -n east -d sql:/etc/ipsec.d
road #
cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf
road #
cp policies/* /etc/ipsec.d/policies/
road #
echo "192.1.2.0/24" >> /etc/ipsec.d/policies/private-or-clear
road #
ipsec start
Redirecting to: systemctl start ipsec.service
road #
/testing/pluto/bin/wait-until-pluto-started
road #
ipsec whack --debug-all --impair-retransmits
road #
# ensure for tests acquires expire before our failureshunt=2m
road #
echo 30 > /proc/sys/net/core/xfrm_acq_expires
road #
# give OE policies time to load
road #
sleep 5
road #
ip -s xfrm monitor > /tmp/xfrm-monitor.out &
[x] PID
road #
echo "initdone"
initdone
road #
ipsec whack --oppohere 192.1.3.209 --oppothere 192.1.2.23
002 initiate on demand from 192.1.3.209:0 to 192.1.2.23:0 proto=0 because: whack
133 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: STATE_PARENT_I1: initiate
002 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #1: suppressing retransmit because IMPAIR_RETRANSMITS is set.
002 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: suppressing retransmit because IMPAIR_RETRANSMITS is set.
002 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: certificate verified OK: E=user-east@testing.libreswan.org,CN=east.testing.libreswan.org,OU=Test Department,O=Libreswan,L=Toronto,ST=Ontario,C=CA
002 "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: negotiated connection [192.1.3.209-192.1.3.209:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
road #
# should show established tunnel and no bare shunts
road #
# ping should succeed through tunnel
road #
ping -n -c 2 -I 192.1.3.209 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.209 : 56(84) bytes of data.
64 bytes from 192.1.2.23: icmp_seq=1 ttl=64 time=0.XXX ms
64 bytes from 192.1.2.23: icmp_seq=2 ttl=64 time=0.XXX ms
--- 192.1.2.23 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time XXXX
rtt min/avg/max/mdev = 0.XXX/0.XXX/0.XXX/0.XXX ms
road #
ipsec whack --trafficstatus
006 #2: "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
road #
ipsec whack --shuntstatus
000 Bare Shunt list:
000
road #
ipsec look
road NOW
XFRM state:
src 192.1.2.23 dst 192.1.3.209
proto esp spi 0xSPISPIXX reqid REQID mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
src 192.1.3.209 dst 192.1.2.23
proto esp spi 0xSPISPIXX reqid REQID mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes)) 0xENCAUTHKEY 128
XFRM policy:
src 192.0.2.0/24 dst 192.1.3.209/32
dir fwd action block priority 2088 ptype main
src 192.0.2.0/24 dst 192.1.3.209/32
dir in action block priority 2088 ptype main
src 192.1.2.129/32 dst 192.1.3.209/32
dir fwd priority 1568 ptype main
src 192.1.2.129/32 dst 192.1.3.209/32
dir in priority 1568 ptype main
src 192.1.2.130/32 dst 192.1.3.209/32
dir fwd priority 1568 ptype main
src 192.1.2.130/32 dst 192.1.3.209/32
dir in priority 1568 ptype main
src 192.1.2.23/32 dst 192.1.3.209/32
dir fwd priority 2080 ptype main
tmpl src 192.1.2.23 dst 192.1.3.209
proto esp reqid REQID mode tunnel
src 192.1.2.23/32 dst 192.1.3.209/32
dir in priority 2080 ptype main
tmpl src 192.1.2.23 dst 192.1.3.209
proto esp reqid REQID mode tunnel
src 192.1.2.254/32 dst 192.1.3.209/32
dir fwd priority 1568 ptype main
src 192.1.2.254/32 dst 192.1.3.209/32
dir in priority 1568 ptype main
src 192.1.3.209/32 dst 192.0.2.0/24
dir out action block priority 2088 ptype main
src 192.1.3.209/32 dst 192.1.2.0/24
dir out priority 2088 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp reqid REQID mode transport
src 192.1.3.209/32 dst 192.1.2.129/32
dir out priority 1568 ptype main
src 192.1.3.209/32 dst 192.1.2.130/32
dir out priority 1568 ptype main
src 192.1.3.209/32 dst 192.1.2.23/32
dir out priority 2080 ptype main
tmpl src 192.1.3.209 dst 192.1.2.23
proto esp reqid REQID mode tunnel
src 192.1.3.209/32 dst 192.1.2.254/32
dir out priority 1568 ptype main
XFRM done
IPSEC mangle TABLES
NEW_IPSEC_CONN mangle TABLES
ROUTING TABLES
default via 192.1.3.254 dev eth0
192.1.3.0/24 dev eth0 proto kernel scope link src 192.1.3.209
NSS_CERTIFICATES
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Libreswan test CA for mainca - Libreswan CT,,
east-ec P,,
hashsha2 P,,
nic P,,
north P,,
road u,u,u
west P,,
west-ec P,,
road #
killall ip > /dev/null 2> /dev/null
[1]+ Terminated ip -s xfrm monitor > /tmp/xfrm-monitor.out
road #
cp /tmp/xfrm-monitor.out OUTPUT/road.xfrm-monitor.txt
road #
ipsec whack --trafficstatus
006 #2: "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
road #
echo done
done
road #
# A tunnel should have established with non-zero byte counters
road #
ipsec whack --trafficstatus
006 #2: "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23, type=ESP, add_time=1234567890, inBytes=168, outBytes=168, id='C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=east.testing.libreswan.org, E=user-east@testing.libreswan.org'
road #
grep "negotiated connection" /tmp/pluto.log
"private-or-clear#192.1.2.0/24"[1] ...192.1.2.23 #2: negotiated connection [192.1.3.209-192.1.3.209:0-65535 0] -> [192.1.2.23-192.1.2.23:0-65535 0]
road #
# you should see only Digital Signatures which supports only RSA now
road #
grep IKEv2_AUTH_ OUTPUT/*pluto.log
OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe)
OUTPUT/east.pluto.log:| clear-or-private#192.1.3.0/24 #1 not fetching ipseckey that end rsasigkey != %dnsondemand can only query DNS for IPSECKEY for ID that is a FQDN, IPV4_ADDR, or IPV6_ADDR id type=ID_DER_ASN1_DN IKEv2_AUTH_DIGSIG remote=192.1.3.209 thatid=C=CA, ST=Ontario, L=Toronto, O=Libreswan, OU=Test Department, CN=road.testing.libreswan.org, E=user-road@testing.libreswan.org
OUTPUT/east.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe)
OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe)
OUTPUT/road.pluto.log:| auth method: IKEv2_AUTH_DIGSIG (0xe)
road #
road #
../bin/check-for-core.sh
road #
if [ -f /sbin/ausearch ]; then ausearch -r -m avc -ts recent ; fi