TCPDUMP moon# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 & alice# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 & PRE-TEST moon# /etc/init.d/iptables start 2> /dev/null * Starting firewall ... [ ok ] carol# /etc/init.d/iptables start 2> /dev/null * Starting firewall ... [ ok ] dave# /etc/init.d/iptables start 2> /dev/null * Starting firewall ... [ ok ] carol# ipsec start Starting strongSwan IPsec 2.8.8 [starter]... dave# ipsec start Starting strongSwan IPsec 2.8.8 [starter]... moon# ipsec start Starting strongSwan IPsec 2.8.8 [starter]... moon# sleep 2 moon# ipsec up carol 002 "carol"[1] 192.168.0.100 #1: initiating Main Mode 104 "carol"[1] 192.168.0.100 #1: STATE_MAIN_I1: initiate 003 "carol"[1] 192.168.0.100 #1: ignoring Vendor ID payload [strongSwan 2.8.8] 003 "carol"[1] 192.168.0.100 #1: received Vendor ID payload [XAUTH] 003 "carol"[1] 192.168.0.100 #1: received Vendor ID payload [Dead Peer Detection] 106 "carol"[1] 192.168.0.100 #1: STATE_MAIN_I2: sent MI2, expecting MR2 002 "carol"[1] 192.168.0.100 #1: we have a cert and are sending it 108 "carol"[1] 192.168.0.100 #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 "carol"[1] 192.168.0.100 #1: Peer ID is ID_USER_FQDN: 'carol@strongswan.org' 002 "carol"[1] 192.168.0.100 #1: crl not found 002 "carol"[1] 192.168.0.100 #1: certificate status unknown 002 "carol"[1] 192.168.0.100 #1: ISAKMP SA established 004 "carol"[1] 192.168.0.100 #1: STATE_MAIN_I4: ISAKMP SA established 002 "carol"[1] 192.168.0.100 #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} 112 "carol"[1] 192.168.0.100 #2: STATE_QUICK_I1: initiate 002 "carol"[1] 192.168.0.100 #2: sent QI2, IPsec SA established {ESP=>0x2f728c32 <0x08956452} 004 "carol"[1] 192.168.0.100 #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x2f728c32 <0x08956452} moon# sleep 1 carol# iptables -D INPUT -i eth0 -p udp --dport 500 --sport 500 -j ACCEPT carol# iptables -D OUTPUT -o eth0 -p udp --dport 500 --sport 500 -j ACCEPT dave# ipsec up moon 002 "moon"[1] 192.168.0.1 #1: initiating Main Mode 104 "moon"[1] 192.168.0.1 #1: STATE_MAIN_I1: initiate 003 "moon"[1] 192.168.0.1 #1: ignoring Vendor ID payload [strongSwan 2.8.8] 003 "moon"[1] 192.168.0.1 #1: received Vendor ID payload [XAUTH] 003 "moon"[1] 192.168.0.1 #1: received Vendor ID payload [Dead Peer Detection] 106 "moon"[1] 192.168.0.1 #1: STATE_MAIN_I2: sent MI2, expecting MR2 002 "moon"[1] 192.168.0.1 #1: we have a cert and are sending it 108 "moon"[1] 192.168.0.1 #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 "moon"[1] 192.168.0.1 #1: Peer ID is ID_FQDN: '@moon.strongswan.org' 002 "moon"[1] 192.168.0.1 #1: crl not found 002 "moon"[1] 192.168.0.1 #1: certificate status unknown 002 "moon"[1] 192.168.0.1 #1: ISAKMP SA established 004 "moon"[1] 192.168.0.1 #1: STATE_MAIN_I4: ISAKMP SA established 002 "moon"[1] 192.168.0.1 #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1} 112 "moon"[1] 192.168.0.1 #2: STATE_QUICK_I1: initiate 002 "moon"[1] 192.168.0.1 #2: sent QI2, IPsec SA established {ESP=>0x63ecf3ec <0xfecca43d} 004 "moon"[1] 192.168.0.1 #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x63ecf3ec <0xfecca43d} dave# sleep 1 TEST carol# ipsec status | grep 'moon.*STATE_QUICK_R2.*IPsec SA established' [YES] 000 #2: "moon"[1] 192.168.0.1 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1105s; newest IPSEC; eroute owner dave# ipsec status | grep 'moon.*STATE_QUICK_I2.*IPsec SA established' [YES] 000 #2: "moon"[1] 192.168.0.1 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 901s; newest IPSEC; eroute owner moon# cat /var/log/auth.log | grep '192.168.0.100.*IPsec SA established' [YES] Dec 6 12:04:23 moon pluto[19822]: "carol"[1] 192.168.0.100 #2: sent QI2, IPsec SA established {ESP=>0x2f728c32 <0x08956452} moon# cat /var/log/auth.log | grep '192.168.0.200.*deleting connection.*with peer 192.168.0.100' [YES ] Dec 6 12:04:26 moon pluto[19822]: "carol"[2] 192.168.0.200 #3: deleting connection "carol" instance with peer 192.168.0.100 {isakmp=#1/ipsec=#2} moon# cat /var/log/auth.log | grep '192.168.0.200.*IPsec SA established' [YES] Dec 6 12:04:27 moon pluto[19822]: "carol"[2] 192.168.0.200 #4: IPsec SA established {ESP=>0xfecca43d <0x63ecf3ec} dave# ping -c 1 10.1.0.10 | grep '64 bytes from 10.1.0.10: icmp_seq=1' [YES] 64 bytes from 10.1.0.10: icmp_seq=1 ttl=63 time=2.30 ms alice# killall tcpdump alice# cat /tmp/tcpdump.log | grep 'IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request' [YES] 12:04:29.742933 IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request, id 31773, seq 1, length 64 alice# cat /tmp/tcpdump.log | grep 'IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply' [YES] 12:04:29.744676 IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply, id 31773, seq 1, length 64 POST-TEST dave# ipsec stop Stopping strongSwan IPsec... carol# ipsec stop Stopping strongSwan IPsec... dave# sleep 1 moon# ipsec stop Stopping strongSwan IPsec... moon# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] carol# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] dave# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] carol# ip addr del 10.3.0.1/32 dev eth0 dave# ip addr del 10.3.0.1/32 dev eth0 dave# rm /etc/ipsec.d/certs/* dave# rm /etc/ipsec.d/private/* moon# killall tcpdump