PRE-TEST

moon# iptables-restore < /etc/iptables.drop

sun# iptables-restore < /etc/iptables.drop

moon# ip6tables-restore < /etc/ip6tables.rules

sun# ip6tables-restore < /etc/ip6tables.rules

moon# systemctl start strongswan

sun# systemctl start strongswan

moon# expect-connection host-host

sun# expect-connection host-host

moon# swanctl --initiate --child host-host
[IKE] initiating IKE_SA host-host[1] to fec0::2
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from fec0::1[500] to fec0::2[500] (240 bytes)
[NET] received packet: from fec0::2[500] to fec0::1[500] (273 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[IKE] sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[IKE] authentication of 'moon.strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] sending end entity cert "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
[IKE] establishing CHILD_SA host-host{1}
[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[ENC] splitting IKE message (1904 bytes) into 2 fragments
[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
[NET] sending packet: from fec0::1[500] to fec0::2[500] (1220 bytes)
[NET] sending packet: from fec0::1[500] to fec0::2[500] (756 bytes)
[NET] received packet: from fec0::2[500] to fec0::1[500] (1220 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
[ENC] received fragment #1 of 2, waiting for complete IKE message
[NET] received packet: from fec0::2[500] to fec0::1[500] (676 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1824 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH N(USE_TRANSP) SA TSi TSr ]
[IKE] received end entity cert "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
[CFG]   using certificate "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   reached self-signed root ca with a path length of 0
[CFG] checking certificate status of "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
[CFG]   fetching crl from 'http://ip6-winnetou.strongswan.org/strongswan.crl' ...
[CFG]   using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl is valid: until Mar 25 18:47:43 2025
[CFG] certificate status is good
[IKE] authentication of 'sun.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] IKE_SA host-host[1] established between fec0::1[moon.strongswan.org]...fec0::2[sun.strongswan.org]
[IKE] scheduling rekeying in 13361s
[IKE] maximum IKE_SA lifetime 14801s
[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
[IKE] CHILD_SA host-host{1} established with SPIs cb56139b_i c9f0fbf5_o and TS fec0::1/128 === fec0::2/128
initiate completed successfully


TEST

moon# ip xfrm state | grep 'mode transport' [YES]
	proto esp spi 0xc9f0fbf5 reqid 1 mode transport
	proto esp spi 0xcb56139b reqid 1 mode transport

sun# ip xfrm state | grep 'mode transport' [YES]
	proto esp spi 0xcb56139b reqid 1 mode transport
	proto esp spi 0xc9f0fbf5 reqid 1 mode transport

moon# ping6 -c 1 -p deadbeef ip6-sun.strongswan.org | grep '64 bytes from ip6-sun.strongswan.org.*: icmp_seq=1' [YES]
64 bytes from ip6-sun.strongswan.org (fec0::2): icmp_seq=1 ttl=64 time=0.556 ms

moon# swanctl --list-sas --raw 2> /dev/null | grep 'host-host.*version=2 state=ESTABLISHED local-host=fec0:\:1 local-port=500 local-id=moon.strongswan.org remote-host=fec0:\:2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:1/128] remote-ts=\[fec0:\:2/128]' [YES]
list-sa event {host-host {uniqueid=1 version=2 state=ESTABLISHED local-host=fec0::1 local-port=500 local-id=moon.strongswan.org remote-host=fec0::2 remote-port=500 remote-id=sun.strongswan.org initiator=yes initiator-spi=288b4b6a3b958514 responder-spi=c9df745ddf7ea780 encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 established=0 rekey-time=13361 child-sas {host-host-1 {name=host-host uniqueid=1 reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP spi-in=cb56139b spi-out=c9f0fbf5 encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 bytes-in=64 packets-in=1 use-in=0 bytes-out=64 packets-out=1 use-out=0 rekey-time=3435 life-time=3960 install-time=0 local-ts=[fec0::1/128] remote-ts=[fec0::2/128]}}}}

sun # swanctl --list-sas --raw 2> /dev/null | grep 'host-host.*version=2 state=ESTABLISHED local-host=fec0:\:2 local-port=500 local-id=sun.strongswan.org remote-host=fec0:\:1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519.*child-sas.*host-host.*reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128.*local-ts=\[fec0:\:2/128] remote-ts=\[fec0:\:1/128]' [YES]
list-sa event {host-host {uniqueid=1 version=2 state=ESTABLISHED local-host=fec0::2 local-port=500 local-id=sun.strongswan.org remote-host=fec0::1 remote-port=500 remote-id=moon.strongswan.org initiator-spi=288b4b6a3b958514 responder-spi=c9df745ddf7ea780 encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=CURVE_25519 established=1 rekey-time=14034 child-sas {host-host-1 {name=host-host uniqueid=1 reqid=1 state=INSTALLED mode=TRANSPORT protocol=ESP spi-in=c9f0fbf5 spi-out=cb56139b encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 bytes-in=64 packets-in=1 use-in=0 bytes-out=64 packets-out=1 use-out=0 rekey-time=3433 life-time=3959 install-time=1 local-ts=[fec0::2/128] remote-ts=[fec0::1/128]}}}}

sun# killall tcpdump

sun# cat /tmp/tcpdump.log | grep 'IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP' [YES]
19:44:53.249721 IP6 ip6-moon.strongswan.org > ip6-sun.strongswan.org: ESP(spi=0xc9f0fbf5,seq=0x1), length 120

sun# cat /tmp/tcpdump.log | grep 'IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP' [YES]
19:44:53.249820 IP6 ip6-sun.strongswan.org > ip6-moon.strongswan.org: ESP(spi=0xcb56139b,seq=0x1), length 120


POST-TEST

moon# systemctl stop strongswan

sun# systemctl stop strongswan

moon# iptables-restore < /etc/iptables.flush

sun# iptables-restore < /etc/iptables.flush

moon# ip6tables-restore < /etc/ip6tables.flush

sun# ip6tables-restore < /etc/ip6tables.flush