PRE-TEST

moon# iptables-restore < /etc/iptables.drop

sun# iptables-restore < /etc/iptables.drop

moon# ip6tables-restore < /etc/ip6tables.rules

sun# ip6tables-restore < /etc/ip6tables.rules

moon# ipsec start
Starting strongSwan 6.0.1 IPsec [starter]...

sun# ipsec start
Starting strongSwan 6.0.1 IPsec [starter]...

moon# expect-connection host-host

sun# expect-connection host-host

moon# ipsec up host-host
initiating Main Mode IKE_SA host-host[1] to fec0::2
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from fec0::1[500] to fec0::2[500] (204 bytes)
received packet: from fec0::2[500] to fec0::1[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from fec0::1[500] to fec0::2[500] (204 bytes)
received packet: from fec0::2[500] to fec0::1[500] (282 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
received cert request for 'C=CH, O=strongSwan Project, CN=strongSwan Root CA'
sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
authentication of 'moon.strongswan.org' (myself) successful
sending end entity cert "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
generating ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
splitting IKE message (1724 bytes) into 2 fragments
generating ID_PROT request 0 [ FRAG(1) ]
generating ID_PROT request 0 [ FRAG(2/2) ]
sending packet: from fec0::1[500] to fec0::2[500] (1232 bytes)
sending packet: from fec0::1[500] to fec0::2[500] (564 bytes)
received packet: from fec0::2[500] to fec0::1[500] (1232 bytes)
parsed ID_PROT response 0 [ FRAG(1) ]
received fragment #1, waiting for complete IKE message
received packet: from fec0::2[500] to fec0::1[500] (452 bytes)
parsed ID_PROT response 0 [ FRAG(2/2) ]
received fragment #2, reassembled fragmented IKE message (1612 bytes)
received packet: from fec0::2[500] to fec0::1[500] (1612 bytes)
parsed ID_PROT response 0 [ ID CERT SIG ]
received end entity cert "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
  using certificate "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
  using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
  reached self-signed root ca with a path length of 0
checking certificate status of "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
  fetching crl from 'http://ip6-winnetou.strongswan.org/strongswan.crl' ...
  using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
  crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
  crl is valid: until Mar 25 18:47:43 2025
certificate status is good
authentication of 'sun.strongswan.org' with RSA_EMSA_PKCS1_NULL successful
IKE_SA host-host[1] established between fec0::1[moon.strongswan.org]...fec0::2[sun.strongswan.org]
scheduling reauthentication in 3378s
maximum IKE_SA lifetime 3558s
generating QUICK_MODE request 1416133498 [ HASH SA No ID ID ]
sending packet: from fec0::1[500] to fec0::2[500] (236 bytes)
received packet: from fec0::2[500] to fec0::1[500] (204 bytes)
parsed QUICK_MODE response 1416133498 [ HASH SA No ID ID ]
selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
CHILD_SA host-host{1} established with SPIs c3233a72_i c5de6ef1_o and TS fec0::1/128 === fec0::2/128
connection 'host-host' established successfully


TEST

moon# ipsec status 2> /dev/null | grep 'host-host.*ESTABLISHED.*moon.strongswan.org.*sun.strongswan.org' [YES]
   host-host[1]: ESTABLISHED 0 seconds ago, fec0::1[moon.strongswan.org]...fec0::2[sun.strongswan.org]

sun# ipsec status 2> /dev/null | grep 'host-host.*ESTABLISHED.*sun.strongswan.org.*moon.strongswan.org' [YES]
   host-host[1]: ESTABLISHED 0 seconds ago, fec0::2[sun.strongswan.org]...fec0::1[moon.strongswan.org]

moon# ipsec status 2> /dev/null | grep 'host-host.*INSTALLED, TRANSPORT' [YES]
   host-host{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c3233a72_i c5de6ef1_o

sun# ipsec status 2> /dev/null | grep 'host-host.*INSTALLED, TRANSPORT' [YES]
   host-host{1}:  INSTALLED, TRANSPORT, reqid 1, ESP SPIs: c5de6ef1_i c3233a72_o

moon# ip xfrm state | grep 'mode transport' [YES]
	proto esp spi 0xc5de6ef1 reqid 1 mode transport
	proto esp spi 0xc3233a72 reqid 1 mode transport

sun# ip xfrm state | grep 'mode transport' [YES]
	proto esp spi 0xc3233a72 reqid 1 mode transport
	proto esp spi 0xc5de6ef1 reqid 1 mode transport

moon# ping6 -c 1 -p deadbeef ip6-sun.strongswan.org | grep '64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1' [YES]
64 bytes from ip6-sun.strongswan.org (fec0::2): icmp_seq=1 ttl=64 time=0.608 ms

sun# killall tcpdump

sun# cat /tmp/tcpdump.log | grep 'IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP' [YES]
19:46:27.875567 IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP(spi=0xc5de6ef1,seq=0x1), length 120

sun# cat /tmp/tcpdump.log | grep 'IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP' [YES]
19:46:27.875679 IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP(spi=0xc3233a72,seq=0x1), length 120


POST-TEST

moon# ipsec stop
Stopping strongSwan IPsec...

sun# ipsec stop
Stopping strongSwan IPsec...

moon# iptables-restore < /etc/iptables.flush

sun# iptables-restore < /etc/iptables.flush

moon# ip6tables-restore < /etc/ip6tables.flush

sun# ip6tables-restore < /etc/ip6tables.flush