PRE-TEST

moon# iptables-restore < /etc/iptables.rules

carol# iptables-restore < /etc/iptables.rules

moon# systemctl start strongswan

carol# systemctl start strongswan

moon# expect-connection icmp

moon# expect-connection ssh

carol# expect-connection icmp

carol# expect-connection ssh

carol# swanctl --initiate --child icmp 2> /dev/null
[IKE] initiating Main Mode IKE_SA home[1] to 192.168.0.1
[ENC] generating ID_PROT request 0 [ SA V V V V V ]
[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (180 bytes)
[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (160 bytes)
[ENC] parsed ID_PROT response 0 [ SA V V V V ]
[IKE] received XAuth vendor ID
[IKE] received DPD vendor ID
[IKE] received FRAGMENTATION vendor ID
[IKE] received NAT-T (RFC 3947) vendor ID
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (172 bytes)
[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (250 bytes)
[ENC] parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
[IKE] received cert request for 'C=CH, O=strongSwan Project, CN=strongSwan Root CA'
[IKE] sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[IKE] authentication of 'carol@strongswan.org' (myself) successful
[IKE] sending end entity cert "C=CH, O=strongSwan Project, OU=Research, CN=carol@strongswan.org"
[ENC] generating ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
[ENC] splitting IKE message (1756 bytes) into 2 fragments
[ENC] generating ID_PROT request 0 [ FRAG(1) ]
[ENC] generating ID_PROT request 0 [ FRAG(2/2) ]
[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (1252 bytes)
[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (576 bytes)
[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (1252 bytes)
[ENC] parsed ID_PROT response 0 [ FRAG(1) ]
[ENC] received fragment #1, waiting for complete IKE message
[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (448 bytes)
[ENC] parsed ID_PROT response 0 [ FRAG(2/2) ]
[ENC] received fragment #2, reassembled fragmented IKE message (1628 bytes)
[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (1628 bytes)
[ENC] parsed ID_PROT response 0 [ ID CERT SIG ]
[IKE] received end entity cert "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
[CFG]   using certificate "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   reached self-signed root ca with a path length of 0
[CFG] checking certificate status of "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
[CFG]   using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl is valid: until Mar 25 18:47:43 2025
[CFG] certificate status is good
[IKE] authentication of 'moon.strongswan.org' with RSA_EMSA_PKCS1_NULL successful
[IKE] IKE_SA home[1] established between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]
[IKE] scheduling rekeying in 13289s
[IKE] maximum IKE_SA lifetime 14729s
[ENC] generating QUICK_MODE request 3131474797 [ HASH SA No KE ID ID ]
[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (220 bytes)
[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (220 bytes)
[ENC] parsed QUICK_MODE response 3131474797 [ HASH SA No KE ID ID ]
[CFG] selected proposal: ESP:AES_GCM_16_128/CURVE_25519/NO_EXT_SEQ
[IKE] CHILD_SA icmp{1} established with SPIs c6ac2cc3_i c734e1e4_o and TS 192.168.0.100/32[icmp] === 10.1.0.0/16[icmp]
initiate completed successfully

carol# swanctl --initiate --child ssh 2> /dev/null
[ENC] generating QUICK_MODE request 3353367863 [ HASH SA No KE ID ID ]
[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (220 bytes)
[NET] received packet: from 192.168.0.1[500] to 192.168.0.100[500] (220 bytes)
[ENC] parsed QUICK_MODE response 3353367863 [ HASH SA No KE ID ID ]
[CFG] selected proposal: ESP:AES_GCM_16_128/CURVE_25519/NO_EXT_SEQ
[IKE] CHILD_SA ssh{2} established with SPIs c42b1ba8_i cf4fc5f4_o and TS 192.168.0.100/32[tcp] === 10.1.0.0/16[tcp/ssh]
initiate completed successfully


TEST

carol# ping -c 1 10.1.0.10 | grep '64 bytes from 10.1.0.10: icmp_.eq=1' [YES]
64 bytes from 10.1.0.10: icmp_seq=1 ttl=63 time=1.01 ms

carol# ping -c 1 10.1.0.1 | grep '64 bytes from 10.1.0.1: icmp_.eq=1' [YES]
64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.632 ms

carol# ssh -o ConnectTimeout=5 10.1.0.10 hostname | grep 'alice' [YES]
alice
Warning: Permanently added '10.1.0.10' (ECDSA) to the list of known hosts.

carol# swanctl --list-sas --raw 2> /dev/null | grep 'home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.100/32\[icmp]] remote-ts=\[10.1.0.0/16\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[192.168.0.100/32\[tcp]] remote-ts=\[10.1.0.0/16\[tcp/ssh]' [YES]
list-sa event {home {uniqueid=1 version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes initiator-spi=6b5ecbc13f2f62b3 responder-spi=4406129656a06b96 encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 established=1 rekey-time=13288 child-sas {icmp-1 {name=icmp uniqueid=1 reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP spi-in=c6ac2cc3 spi-out=c734e1e4 encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519 bytes-in=168 packets-in=2 use-in=1 bytes-out=168 packets-out=2 use-out=1 rekey-time=3371 life-time=3959 install-time=1 local-ts=[192.168.0.100/32[icmp]] remote-ts=[10.1.0.0/16[icmp]]} ssh-2 {name=ssh uniqueid=2 reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP spi-in=c42b1ba8 spi-out=cf4fc5f4 encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519 bytes-in=3288 packets-in=18 use-in=0 bytes-out=3836 packets-out=20 use-out=0 rekey-time=3499 life-time=3959 install-time=1 local-ts=[192.168.0.100/32[tcp]] remote-ts=[10.1.0.0/16[tcp/ssh]]}}}}

moon# swanctl --list-sas --raw 2> /dev/null | grep 'rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*icmp.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16\[icmp]] remote-ts=\[192.168.0.100/32\[icmp]].*ssh.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519.*local-ts=\[10.1.0.0/16\[tcp/ssh]] remote-ts=\[192.168.0.100/32\[tcp]]' [YES]
list-sa event {rw {uniqueid=1 version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org initiator-spi=6b5ecbc13f2f62b3 responder-spi=4406129656a06b96 encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 established=2 rekey-time=13590 child-sas {icmp-1 {name=icmp uniqueid=1 reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP spi-in=c734e1e4 spi-out=c6ac2cc3 encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519 bytes-in=168 packets-in=2 use-in=1 bytes-out=168 packets-out=2 use-out=1 rekey-time=3274 life-time=3958 install-time=2 local-ts=[10.1.0.0/16[icmp]] remote-ts=[192.168.0.100/32[icmp]]} ssh-2 {name=ssh uniqueid=2 reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP spi-in=cf4fc5f4 spi-out=c42b1ba8 encr-alg=AES_GCM_16 encr-keysize=128 dh-group=CURVE_25519 bytes-in=3836 packets-in=20 use-in=1 bytes-out=3288 packets-out=18 use-out=1 rekey-time=3314 life-time=3959 install-time=1 local-ts=[10.1.0.0/16[tcp/ssh]] remote-ts=[192.168.0.100/32[tcp]]}}}}

moon# killall tcpdump

moon# cat /tmp/tcpdump.log | grep 'IP carol.strongswan.org > moon.strongswan.org: ESP' [YES]
18:57:43.337591 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc734e1e4,seq=0x1), length 120
18:57:43.370424 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc734e1e4,seq=0x2), length 120
18:57:43.421590 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x1), length 96
18:57:43.422725 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x2), length 88
18:57:43.423300 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x3), length 128
18:57:43.458810 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x4), length 88
18:57:43.458820 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x5), length 1480
18:57:43.458823 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x6), length 252
18:57:43.474835 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x7), length 136
18:57:43.498556 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x8), length 104
18:57:43.543390 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x9), length 140
18:57:43.544572 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0xa), length 156
18:57:43.553836 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0xb), length 208
18:57:43.596650 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0xc), length 88
18:57:43.597580 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0xd), length 88
18:57:43.597714 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0xe), length 868
18:57:43.602707 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0xf), length 88
18:57:43.603011 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x10), length 88
18:57:43.603179 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x11), length 124
18:57:43.603183 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x12), length 156
18:57:43.603248 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x13), length 88
18:57:43.604841 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcf4fc5f4,seq=0x14), length 88

moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > carol.strongswan.org: ESP' [YES]
18:57:43.338147 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc6ac2cc3,seq=0x1), length 120
18:57:43.370540 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc6ac2cc3,seq=0x2), length 120
18:57:43.422251 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0x1), length 96
18:57:43.423765 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0x2), length 88
18:57:43.456101 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0x3), length 128
18:57:43.459356 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0x4), length 768
18:57:43.460537 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0x5), length 88
18:57:43.488662 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0x6), length 692
18:57:43.542823 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0x7), length 88
18:57:43.544066 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0x8), length 88
18:57:43.544110 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0x9), length 140
18:57:43.553169 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0xa), length 124
18:57:43.555638 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0xb), length 668
18:57:43.597112 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0xc), length 140
18:57:43.598735 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0xd), length 160
18:57:43.602322 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0xe), length 140
18:57:43.602521 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0xf), length 124
18:57:43.602690 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0x10), length 228
18:57:43.603502 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0x11), length 88
18:57:43.604587 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc42b1ba8,seq=0x12), length 88


POST-TEST

carol# swanctl --terminate --ike home
[IKE] closing CHILD_SA icmp{1} with SPIs c6ac2cc3_i (168 bytes) c734e1e4_o (168 bytes) and TS 192.168.0.100/32[icmp] === 10.1.0.0/16[icmp]
[IKE] sending DELETE for ESP CHILD_SA with SPI c6ac2cc3
[ENC] generating INFORMATIONAL_V1 request 619266377 [ HASH D ]
[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (92 bytes)
[IKE] closing CHILD_SA ssh{2} with SPIs c42b1ba8_i (3288 bytes) cf4fc5f4_o (3836 bytes) and TS 192.168.0.100/32[tcp] === 10.1.0.0/16[tcp/ssh]
[IKE] sending DELETE for ESP CHILD_SA with SPI c42b1ba8
[ENC] generating INFORMATIONAL_V1 request 1918756327 [ HASH D ]
[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (92 bytes)
[IKE] deleting IKE_SA home[1] between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]
[IKE] sending DELETE for IKE_SA home[1]
[ENC] generating INFORMATIONAL_V1 request 2491091931 [ HASH D ]
[NET] sending packet: from 192.168.0.100[500] to 192.168.0.1[500] (108 bytes)
terminate completed successfully

carol# systemctl stop strongswan

moon# systemctl stop strongswan

moon# iptables-restore < /etc/iptables.flush

carol# iptables-restore < /etc/iptables.flush