PRE-TEST

moon# cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql

sun# cat /usr/local/share/strongswan/templates/database/sql/sqlite.sql /etc/ipsec.d/data.sql > /etc/db.d/ipsec.sql

moon# cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db

sun# cat /etc/db.d/ipsec.sql | sqlite3 /etc/db.d/ipsec.db

moon# cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*

sun# cd /etc/swanctl; rm -r rsa/* x509/* x509ca/*

moon# iptables-restore < /etc/iptables.rules

sun# iptables-restore < /etc/iptables.rules

sun# systemctl start strongswan

sun# expect-connection net-net

moon# systemctl start strongswan

moon# sleep 4


TEST

moon# swanctl --list-sas --raw 2> /dev/null | grep 'net-net.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/28] remote-ts=\[10.2.0.0/23].*net-2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192.*local-ts=\[10.1.0.16/28] remote-ts=\[10.2.0.0/23].*net-3.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192.*local-ts=\[10.1.2.0/23] remote-ts=\[10.2.2.0/23]' [YES]
list-sa event {net-net {uniqueid=1 version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.2 remote-port=500 remote-id=sun.strongswan.org initiator=yes initiator-spi=c04e5e84a3cc6b54 responder-spi=3e7d73dc7cdd280f encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072 established=4 rekey-time=7080 child-sas {net-1-1 {name=net-1 uniqueid=1 reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP spi-in=c66e4391 spi-out=ca042fc0 encr-alg=AES_GCM_16 encr-keysize=128 bytes-in=0 packets-in=0 bytes-out=0 packets-out=0 rekey-time=1142 life-time=1496 install-time=4 local-ts=[10.1.0.0/28] remote-ts=[10.2.0.0/23]} net-2-2 {name=net-2 uniqueid=2 reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP spi-in=c0bd3816 spi-out=c95056df encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192 bytes-in=0 packets-in=0 bytes-out=0 packets-out=0 rekey-time=1160 life-time=1497 install-time=4 local-ts=[10.1.0.16/28] remote-ts=[10.2.0.0/23]} net-3-4 {name=net-3 uniqueid=4 reqid=3 state=INSTALLED mode=TUNNEL protocol=ESP spi-in=cc9f9545 spi-out=c751cd19 encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192 bytes-in=0 packets-in=0 bytes-out=0 packets-out=0 rekey-time=1146 life-time=1497 install-time=3 local-ts=[10.1.2.0/23] remote-ts=[10.2.2.0/23]}}}}

sun# swanctl --list-sas --raw 2> /dev/null | grep 'net-net.*version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072.*child-sas.*net-1.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.2.0.0/23] remote-ts=\[10.1.0.0/28].*net-2.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192.*local-ts=\[10.2.0.0/23] remote-ts=\[10.1.0.16/28].*net-3.*state=INSTALLED mode=TUNNEL protocol=ESP.*encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192.*local-ts=\[10.2.2.0/23] remote-ts=\[10.1.2.0/23]' [YES]
list-sa event {net-net {uniqueid=1 version=2 state=ESTABLISHED local-host=192.168.0.2 local-port=500 local-id=sun.strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator-spi=c04e5e84a3cc6b54 responder-spi=3e7d73dc7cdd280f encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=MODP_3072 established=4 rekey-time=7145 child-sas {net-1-1 {name=net-1 uniqueid=1 reqid=1 state=INSTALLED mode=TUNNEL protocol=ESP spi-in=ca042fc0 spi-out=c66e4391 encr-alg=AES_GCM_16 encr-keysize=128 bytes-in=0 packets-in=0 bytes-out=0 packets-out=0 rekey-time=1146 life-time=1496 install-time=4 local-ts=[10.2.0.0/23] remote-ts=[10.1.0.0/28]} net-2-2 {name=net-2 uniqueid=2 reqid=2 state=INSTALLED mode=TUNNEL protocol=ESP spi-in=c95056df spi-out=c0bd3816 encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192 bytes-in=0 packets-in=0 bytes-out=0 packets-out=0 rekey-time=1161 life-time=1496 install-time=4 local-ts=[10.2.0.0/23] remote-ts=[10.1.0.16/28]} net-3-3 {name=net-3 uniqueid=3 reqid=3 state=INSTALLED mode=TUNNEL protocol=ESP spi-in=c751cd19 spi-out=cc9f9545 encr-alg=AES_GCM_16 encr-keysize=192 dh-group=MODP_8192 bytes-in=0 packets-in=0 bytes-out=0 packets-out=0 rekey-time=1175 life-time=1497 install-time=4 local-ts=[10.2.2.0/23] remote-ts=[10.1.2.0/23]}}}}

alice# ping -c 1 10.2.0.10 | grep '64 bytes from 10.2.0.10: icmp_.eq=1' [YES]
64 bytes from 10.2.0.10: icmp_seq=1 ttl=62 time=1.63 ms

bob# ping -c 1 10.1.0.20 | grep '64 bytes from 10.1.0.20: icmp_.eq=1' [YES]
64 bytes from 10.1.0.20: icmp_seq=1 ttl=62 time=1.42 ms

sun# killall tcpdump

sun# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > sun.strongswan.org: ESP' [YES]
19:52:58.587400 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0xca042fc0,seq=0x1), length 120
19:52:58.620324 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0xc95056df,seq=0x1), length 120

sun# cat /tmp/tcpdump.log | grep 'IP sun.strongswan.org > moon.strongswan.org: ESP' [YES]
19:52:58.588031 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0xc66e4391,seq=0x1), length 120
19:52:58.619428 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0xc0bd3816,seq=0x1), length 120


POST-TEST

moon# systemctl stop strongswan

sun# systemctl stop strongswan

moon# iptables-restore < /etc/iptables.flush

sun# iptables-restore < /etc/iptables.flush