PRE-TEST

moon# iptables-restore < /etc/iptables.rules

sun# iptables-restore < /etc/iptables.rules

alice# ip route add fec2::/16 via fec1::1

moon# ip route add fec2::/16 via fec0::2

sun# ip route add fec1::/16 via fec0::1

bob# ip route add fec1::/16 via fec2::1

moon# systemctl start strongswan

sun# systemctl start strongswan

moon# expect-connection gw-gw

sun# expect-connection gw-gw

moon# swanctl --initiate --child net-net 2> /dev/null
[IKE] initiating IKE_SA gw-gw[1] to 192.168.0.2
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 192.168.0.1[500] to 192.168.0.2[500] (304 bytes)
[NET] received packet: from 192.168.0.2[500] to 192.168.0.1[500] (329 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) ]
[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384
[IKE] remote host is behind NAT
[IKE] received cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[IKE] sending cert request for "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[IKE] authentication of 'moon.strongswan.org' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] sending end entity cert "C=CH, O=strongSwan Project, CN=moon.strongswan.org"
[IKE] establishing CHILD_SA net-net{1}
[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[ENC] splitting IKE message (1896 bytes) into 2 fragments
[ENC] generating IKE_AUTH request 1 [ EF(1/2) ]
[ENC] generating IKE_AUTH request 1 [ EF(2/2) ]
[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.2[4500] (1244 bytes)
[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.2[4500] (732 bytes)
[NET] received packet: from 192.168.0.2[4500] to 192.168.0.1[4500] (1244 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
[ENC] received fragment #1 of 2, waiting for complete IKE message
[NET] received packet: from 192.168.0.2[4500] to 192.168.0.1[4500] (652 bytes)
[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1816 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr ]
[IKE] received end entity cert "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
[CFG]   using certificate "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
[CFG]   using trusted ca certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   reached self-signed root ca with a path length of 0
[CFG] checking certificate status of "C=CH, O=strongSwan Project, CN=sun.strongswan.org"
[CFG]   fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
[CFG]   using trusted certificate "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl correctly signed by "C=CH, O=strongSwan Project, CN=strongSwan Root CA"
[CFG]   crl is valid: until Mar 25 18:47:43 2025
[CFG] certificate status is good
[IKE] authentication of 'sun.strongswan.org' with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] IKE_SA gw-gw[1] established between 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
[IKE] scheduling rekeying in 14076s
[IKE] maximum IKE_SA lifetime 15516s
[CFG] selected proposal: ESP:AES_GCM_16_256/NO_EXT_SEQ
[IKE] CHILD_SA net-net{1} established with SPIs 5a3f8c6b_i a93f0336_o and TS fec1::/16[ipv6-icmp] === fec2::/16[ipv6-icmp]
initiate completed successfully


TEST

alice# ping6 -c 3 -W 1 -i 0.2 -s 8184 -p deadbeef ip6-bob.strongswan.org | grep '8192 bytes from ip6-bob.strongswan.org.*: icmp_seq=3' [YES]
8192 bytes from ip6-bob.strongswan.org (fec2::10): icmp_seq=3 ttl=62 time=10.3 ms

moon # swanctl --list-sas --raw 2> /dev/null | grep 'gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec1:\:/16\[ipv6-icmp]] remote-ts=\[fec2:\:/16\[ipv6-icmp]]' [YES]
list-sa event {gw-gw {uniqueid=1 version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=4500 remote-id=sun.strongswan.org initiator=yes initiator-spi=d9dbf85ef4486163 responder-spi=0ad703125302ba1c nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384 established=2 rekey-time=14074 child-sas {net-net-1 {name=net-net uniqueid=1 reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes spi-in=5a3f8c6b spi-out=a93f0336 encr-alg=AES_GCM_16 encr-keysize=256 bytes-in=9528 packets-in=8 use-in=1 bytes-out=18056 packets-out=15 use-out=1 rekey-time=3331 life-time=3958 install-time=2 local-ts=[fec1::/16[ipv6-icmp]] remote-ts=[fec2::/16[ipv6-icmp]]}}}}

sun # swanctl --list-sas --raw 2> /dev/null | grep 'gw-gw.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org.*nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384.*child-sas.*net-net.*reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes.*encr-alg=AES_GCM_16 encr-keysize=256.*local-ts=\[fec2:\:/16\[ipv6-icmp]] remote-ts=\[fec1:\:/16\[ipv6-icmp]]' [YES]
list-sa event {gw-gw {uniqueid=1 version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=4500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator-spi=d9dbf85ef4486163 responder-spi=0ad703125302ba1c nat-remote=yes nat-any=yes encr-alg=AES_CBC encr-keysize=256 integ-alg=HMAC_SHA2_384_192 prf-alg=PRF_HMAC_SHA2_384 dh-group=ECP_384 established=2 rekey-time=13431 child-sas {net-net-1 {name=net-net uniqueid=1 reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP encap=yes spi-in=a93f0336 spi-out=5a3f8c6b encr-alg=AES_GCM_16 encr-keysize=256 bytes-in=18056 packets-in=15 use-in=2 bytes-out=9528 packets-out=8 use-out=2 rekey-time=3300 life-time=3958 install-time=2 local-ts=[fec2::/16[ipv6-icmp]] remote-ts=[fec1::/16[ipv6-icmp]]}}}}

sun# killall tcpdump

sun# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org.\(4500\|ipsec-nat-t\) > sun.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP' [YES]
19:47:05.407629 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0x1), length 1036
19:47:05.613833 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0x2), length 1436
19:47:05.613845 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0x3), length 1436
19:47:05.613847 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0x4), length 1436
19:47:05.613849 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0x5), length 1436
19:47:05.613851 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0x6), length 1436
19:47:05.613853 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0x7), length 1436
19:47:05.613855 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0x8), length 164
19:47:05.817059 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0x9), length 1436
19:47:05.817198 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0xa), length 1436
19:47:05.817434 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0xb), length 1436
19:47:05.817676 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0xc), length 1436
19:47:05.817910 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0xd), length 1436
19:47:05.818109 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0xe), length 1436
19:47:05.818432 IP moon.strongswan.org.ipsec-nat-t > sun.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0xa93f0336,seq=0xf), length 164

sun# cat /tmp/tcpdump.log | grep 'IP sun.strongswan.org.\(4500\|ipsec-nat-t\) > moon.strongswan.org.\(4500\|ipsec-nat-t\): UDP-encap: ESP' [YES]
19:47:05.617992 IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0x5a3f8c6b,seq=0x1), length 1036
19:47:05.821426 IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0x5a3f8c6b,seq=0x2), length 1436
19:47:05.821984 IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0x5a3f8c6b,seq=0x3), length 1436
19:47:05.822779 IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0x5a3f8c6b,seq=0x4), length 1436
19:47:05.823116 IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0x5a3f8c6b,seq=0x5), length 1436
19:47:05.823822 IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0x5a3f8c6b,seq=0x6), length 1436
19:47:05.823860 IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0x5a3f8c6b,seq=0x7), length 1436
19:47:05.823874 IP sun.strongswan.org.ipsec-nat-t > moon.strongswan.org.ipsec-nat-t: UDP-encap: ESP(spi=0x5a3f8c6b,seq=0x8), length 164


POST-TEST

moon# swanctl --terminate --ike gw-gw 2> /dev/null
[IKE] deleting IKE_SA gw-gw[1] between 192.168.0.1[moon.strongswan.org]...192.168.0.2[sun.strongswan.org]
[IKE] sending DELETE for IKE_SA gw-gw[1]
[ENC] generating INFORMATIONAL request 2 [ D ]
[NET] sending packet: from 192.168.0.1[4500] to 192.168.0.2[4500] (88 bytes)
[NET] received packet: from 192.168.0.2[4500] to 192.168.0.1[4500] (88 bytes)
[ENC] parsed INFORMATIONAL response 2 [ ]
[IKE] IKE_SA deleted
terminate completed successfully

moon# systemctl stop strongswan

sun# systemctl stop strongswan

alice# ip route del fec2::/16 via fec1::1

moon# ip route del fec2::/16 via fec0::2

sun# ip route del fec1::/16 via fec0::1

bob# ip route del fec1::/16 via fec2::1

moon# iptables-restore < /etc/iptables.flush

sun# iptables-restore < /etc/iptables.flush