TCPDUMP

moon# tcpdump -i eth0 not port ssh and not port domain > /tmp/tcpdump.log 2>&1 &

PRE-TEST

moon# /etc/init.d/iptables start 2> /dev/null
 * Caching service dependencies ...                                       [ ok ]
 * Starting firewall ...                                                  [ ok ]

carol# /etc/init.d/iptables start 2> /dev/null
 * Caching service dependencies ...                                       [ ok ]
 * Starting firewall ...                                                  [ ok ]

moon# cat /etc/ipsec.d/triplets.dat
carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB

carol# cat /etc/ipsec.d/triplets.dat
carol@strongswan.org,30000000000000000000000000000000,30112233,305566778899AABB
carol@strongswan.org,31000000000000000000000000000000,31112233,315566778899AABB
carol@strongswan.org,32000000000000000000000000000000,32112233,325566778899AABB

moon# ipsec start
Starting strongSwan 4.5.3 IPsec [starter]...
No leaks detected, 5 suppressed by whitelist

carol# ipsec start
Starting strongSwan 4.5.3 IPsec [starter]...
No leaks detected, 5 suppressed by whitelist

carol# sleep 1

carol# ipsec up home
initiating IKE_SA home[1] to 192.168.0.1
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.100[500] to 192.168.0.1[500]
received packet: from 192.168.0.1[500] to 192.168.0.100[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500]
received packet: from 192.168.0.1[4500] to 192.168.0.100[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/SIM ]
received end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
  using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
  using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
  fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
  using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
  crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
  crl is valid: until Sep 01 21:49:28 2011
certificate status is good
  reached self-signed root ca with a path length of 0
authentication of 'moon.strongswan.org' with RSA signature successful
server requested EAP_SIM authentication (id 0xFF)
generating IKE_AUTH request 2 [ EAP/RES/SIM ]
sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500]
received packet: from 192.168.0.1[4500] to 192.168.0.100[4500]
parsed IKE_AUTH response 2 [ EAP/REQ/SIM ]
generating IKE_AUTH request 3 [ EAP/RES/SIM ]
sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500]
received packet: from 192.168.0.1[4500] to 192.168.0.100[4500]
parsed IKE_AUTH response 3 [ EAP/SUCC ]
EAP method EAP_SIM succeeded, MSK established
authentication of 'carol@strongswan.org' (myself) with EAP
generating IKE_AUTH request 4 [ AUTH ]
sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500]
received packet: from 192.168.0.1[4500] to 192.168.0.100[4500]
parsed IKE_AUTH response 4 [ AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
authentication of 'moon.strongswan.org' with EAP successful
IKE_SA home[1] established between 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]
scheduling reauthentication in 3276s
maximum IKE_SA lifetime 3456s
No leaks detected, 1 suppressed by whitelist

carol# sleep 1


TEST

carol# cat /var/log/daemon.log | grep 'authentication of 'moon.strongswan.org' with RSA signature successful' [YES]
Aug  3 01:31:21 carol charon: 08[IKE] authentication of 'moon.strongswan.org' with RSA signature successful 

carol# cat /var/log/daemon.log | grep 'authentication of 'moon.strongswan.org' with EAP successful' [YES]
Aug  3 01:31:22 carol charon: 03[IKE] authentication of 'moon.strongswan.org' with EAP successful 

moon# cat /var/log/daemon.log | grep 'authentication of 'carol@strongswan.org' with EAP successful' [YES]
Aug  3 01:31:21 moon charon: 04[IKE] authentication of 'carol@strongswan.org' with EAP successful 

moon# ipsec statusall | grep 'rw-eap-sim.*ESTABLISHED' [YES]
No leaks detected, 1 suppressed by whitelist
  rw-eap-sim[1]: ESTABLISHED 3 seconds ago, 192.168.0.1[moon.strongswan.org]...192.168.0.100[carol@strongswan.org]

carol# ipsec statusall | grep 'home.*ESTABLISHED' [YES]
No leaks detected, 1 suppressed by whitelist
        home[1]: ESTABLISHED 3 seconds ago, 192.168.0.100[carol@strongswan.org]...192.168.0.1[moon.strongswan.org]

carol# ping -c 1 10.1.0.10 | grep '64 bytes from 10.1.0.10: icmp_seq=1' [YES]
64 bytes from 10.1.0.10: icmp_seq=1 ttl=63 time=0.786 ms

moon# killall tcpdump

moon# cat /tmp/tcpdump.log | grep 'IP carol.strongswan.org > moon.strongswan.org: ESP' [YES]
01:31:25.245746 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcd9863e3,seq=0x1), length 132

moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > carol.strongswan.org: ESP' [YES]
01:31:25.246205 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc47ef10e,seq=0x1), length 132


POST-TEST

moon# ipsec stop
Stopping strongSwan IPsec...

carol# ipsec stop
Stopping strongSwan IPsec...

moon# /etc/init.d/iptables stop 2> /dev/null
 * Stopping firewall ...                                                  [ ok ]

carol# /etc/init.d/iptables stop 2> /dev/null
 * Stopping firewall ...                                                  [ ok ]