TCPDUMP
moon# tcpdump -i eth0 not port ssh and not port domain > /tmp/tcpdump.log 2>&1 &
PRE-TEST
moon# /etc/init.d/iptables start 2> /dev/null
* Caching service dependencies ... [ ok ]
* Starting firewall ... [ ok ]
carol# /etc/init.d/iptables start 2> /dev/null
* Caching service dependencies ... [ ok ]
* Starting firewall ... [ ok ]
dave# /etc/init.d/iptables start 2> /dev/null
* Caching service dependencies ... [ ok ]
* Starting firewall ... [ ok ]
moon# ipsec start
Starting strongSwan 4.6.4 IPsec [starter]...
No leaks detected, 5 suppressed by whitelist
carol# ipsec start
Starting strongSwan 4.6.4 IPsec [starter]...
No leaks detected, 5 suppressed by whitelist
dave# ipsec start
Starting strongSwan 4.6.4 IPsec [starter]...
No leaks detected, 5 suppressed by whitelist
carol# sleep 1
carol# ipsec up home
initiating IKE_SA home[1] to 192.168.0.1
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.100[500] to 192.168.0.1[500]
received packet: from 192.168.0.1[500] to 192.168.0.100[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
authentication of 'carol@strongswan.org' (myself) with RSA signature successful
sending end entity cert "C=CH, O=Linux strongSwan, OU=SHA-384, CN=carol@strongswan.org"
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500]
received packet: from 192.168.0.1[4500] to 192.168.0.100[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
received end entity cert "C=CH, O=Linux strongSwan, OU=SHA-224, CN=moon.strongswan.org"
using certificate "C=CH, O=Linux strongSwan, OU=SHA-224, CN=moon.strongswan.org"
using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
checking certificate status of "C=CH, O=Linux strongSwan, OU=SHA-224, CN=moon.strongswan.org"
fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
crl is valid: until Jun 30 17:25:59 2012
certificate status is good
reached self-signed root ca with a path length of 0
authentication of 'moon.strongswan.org' with RSA signature successful
IKE_SA home[1] established between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]
scheduling reauthentication in 3277s
maximum IKE_SA lifetime 3457s
No leaks detected, 1 suppressed by whitelist
dave# ipsec up home
initiating IKE_SA home[1] to 192.168.0.1
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.200[500] to 192.168.0.1[500]
received packet: from 192.168.0.1[500] to 192.168.0.200[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
authentication of 'dave@strongswan.org' (myself) with RSA signature successful
sending end entity cert "C=CH, O=Linux strongSwan, OU=SHA-512, CN=dave@strongswan.org"
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500]
received packet: from 192.168.0.1[4500] to 192.168.0.200[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
received end entity cert "C=CH, O=Linux strongSwan, OU=SHA-224, CN=moon.strongswan.org"
using certificate "C=CH, O=Linux strongSwan, OU=SHA-224, CN=moon.strongswan.org"
using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
checking certificate status of "C=CH, O=Linux strongSwan, OU=SHA-224, CN=moon.strongswan.org"
fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
crl is valid: until Jun 30 17:25:59 2012
certificate status is good
reached self-signed root ca with a path length of 0
authentication of 'moon.strongswan.org' with RSA signature successful
IKE_SA home[1] established between 192.168.0.200[dave@strongswan.org]...192.168.0.1[moon.strongswan.org]
scheduling reauthentication in 3375s
maximum IKE_SA lifetime 3555s
No leaks detected, 1 suppressed by whitelist
carol# sleep 1
TEST
moon# ipsec statusall | grep 'rw.*ESTABLISHED' [YES]
No leaks detected, 1 suppressed by whitelist
rw[1]: ESTABLISHED 4 seconds ago, 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol@strongswan.org]
rw[2]: ESTABLISHED 3 seconds ago, 192.168.0.1[moon.strongswan.org]...192.168.0.200[dave@strongswan.org]
carol# ipsec statusall | grep 'home.*ESTABLISHED' [YES]
No leaks detected, 1 suppressed by whitelist
home[1]: ESTABLISHED 4 seconds ago, 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]
dave# ipsec statusall | grep 'home.*ESTABLISHED' [YES]
No leaks detected, 1 suppressed by whitelist
home[1]: ESTABLISHED 3 seconds ago, 192.168.0.200[dave@strongswan.org]...192.168.0.1[moon.strongswan.org]
carol# ping -c 1 10.1.0.10 | grep '64 bytes from 10.1.0.10: icmp_seq=1' [YES]
64 bytes from 10.1.0.10: icmp_seq=1 ttl=63 time=0.838 ms
dave# ping -c 1 10.1.0.10 | grep '64 bytes from 10.1.0.10: icmp_seq=1' [YES]
64 bytes from 10.1.0.10: icmp_seq=1 ttl=63 time=1.01 ms
moon# killall tcpdump
moon# cat /tmp/tcpdump.log | grep 'IP carol.strongswan.org > moon.strongswan.org: ESP' [YES]
22:50:17.012858 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xca60f0f5,seq=0x1), length 132
moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > carol.strongswan.org: ESP' [YES]
22:50:17.013351 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc8caec8f,seq=0x1), length 132
moon# cat /tmp/tcpdump.log | grep 'IP dave.strongswan.org > moon.strongswan.org: ESP' [YES]
22:50:17.155806 IP dave.strongswan.org > moon.strongswan.org: ESP(spi=0xc3c1e0fc,seq=0x1), length 132
moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > dave.strongswan.org: ESP' [YES]
22:50:17.156298 IP moon.strongswan.org > dave.strongswan.org: ESP(spi=0xcf60be6e,seq=0x1), length 132
POST-TEST
moon# ipsec stop
Stopping strongSwan IPsec...
carol# ipsec stop
Stopping strongSwan IPsec...
dave# ipsec stop
Stopping strongSwan IPsec...
moon# /etc/init.d/iptables stop 2> /dev/null
* Stopping firewall ... [ ok ]
carol# /etc/init.d/iptables stop 2> /dev/null
* Stopping firewall ... [ ok ]
dave# /etc/init.d/iptables stop 2> /dev/null
* Stopping firewall ... [ ok ]
moon# rm /etc/ipsec.d/private/*
carol# rm /etc/ipsec.d/private/*
dave# rm /etc/ipsec.d/private/*
moon# rm /etc/ipsec.d/certs/*
carol# rm /etc/ipsec.d/certs/*
dave# rm /etc/ipsec.d/certs/*