TCPDUMP

sun# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 &
bob# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 &

PRE-TEST

moon# /etc/init.d/iptables start 2> /dev/null
 * Caching service dependencies ...                                       [ ok ]
 * Starting firewall ...                                                  [ ok ]

sun# /etc/init.d/iptables start 2> /dev/null
 * Caching service dependencies ...                                       [ ok ]
 * Starting firewall ...                                                  [ ok ]

moon# ipsec start
Starting strongSwan 4.2.17 IPsec [starter]...

sun# ipsec start
Starting strongSwan 4.2.17 IPsec [starter]...

moon# sleep 2

moon# ipsec up host-net
002 "host-net" #1: initiating Main Mode
104 "host-net" #1: STATE_MAIN_I1: initiate
003 "host-net" #1: ignoring Vendor ID payload [strongSwan 4.2.17]
003 "host-net" #1: received Vendor ID payload [XAUTH]
003 "host-net" #1: received Vendor ID payload [Dead Peer Detection]
106 "host-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "host-net" #1: we have a cert and are sending it upon request
108 "host-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "host-net" #1: Peer ID is ID_FQDN: '@sun.strongswan.org'
002 "host-net" #1: crl not found
002 "host-net" #1: certificate status unknown
002 "host-net" #1: ISAKMP SA established
004 "host-net" #1: STATE_MAIN_I4: ISAKMP SA established
002 "host-net" #2: initiating Quick Mode RSASIG+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
112 "host-net" #2: STATE_QUICK_I1: initiate
002 "host-net" #2: sent QI2, IPsec SA established {ESP=>0x21275697 <0x99e04056}
004 "host-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x21275697 <0x99e04056}


TEST

moon# ipsec status | grep 'host-net.*STATE_QUICK_I2.*IPsec SA established' [YES]
000 #2: "host-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 902s; newest IPSEC; eroute owner

sun# ipsec status | grep 'host-net.*STATE_QUICK_R2.*IPsec SA established' [YES]
000 #2: "host-net"[2] 192.168.0.1 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1110s; newest IPSEC; eroute owner

moon# ping -c 1 10.2.0.10 | grep '64 bytes from 10.2.0.10: icmp_seq=1' [YES]
64 bytes from 10.2.0.10: icmp_seq=1 ttl=63 time=14.4 ms

bob# ping -c 1 192.168.0.1 | grep '64 bytes from 192.168.0.1: icmp_seq=1' [YES]
64 bytes from 192.168.0.1: icmp_seq=1 ttl=63 time=1.14 ms

alice# ping -c 1 10.2.0.10 | grep '64 bytes from 10.2.0.10: icmp_seq=1' [YES]
64 bytes from 10.2.0.10: icmp_seq=1 ttl=62 time=11.6 ms

venus# ping -c 1 10.2.0.10 | grep '64 bytes from 10.2.0.10: icmp_seq=1' [YES]
64 bytes from 10.2.0.10: icmp_seq=1 ttl=62 time=11.5 ms

sun# killall tcpdump

sun# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > sun.strongswan.org: ESP' [YES]
14:59:46.118413 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0x21275697,seq=0x1), length 132
14:59:46.522949 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0x21275697,seq=0x2), length 132
14:59:46.669380 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0x21275697,seq=0x3), length 132
14:59:47.120481 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0x21275697,seq=0x4), length 132

sun# cat /tmp/tcpdump.log | grep 'IP sun.strongswan.org > moon.strongswan.org: ESP' [YES]
14:59:46.132611 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0x99e04056,seq=0x1), length 132
14:59:46.522482 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0x99e04056,seq=0x2), length 132
14:59:46.669580 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0x99e04056,seq=0x3), length 132
14:59:47.120841 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0x99e04056,seq=0x4), length 132

bob# killall tcpdump

bob# cat /tmp/tcpdump.log | grep 'ICMP' [YES]
14:59:46.107114 IP moon.strongswan.org > bob.strongswan.org: ICMP echo request, id 24383, seq 1, length 64
14:59:46.132037 IP bob.strongswan.org > moon.strongswan.org: ICMP echo reply, id 24383, seq 1, length 64
14:59:46.496623 IP bob.strongswan.org > moon.strongswan.org: ICMP echo request, id 36112, seq 1, length 64
14:59:46.497696 IP moon.strongswan.org > bob.strongswan.org: ICMP echo reply, id 36112, seq 1, length 64
14:59:46.643830 IP moon.strongswan.org > bob.strongswan.org: ICMP echo request, id 21, seq 1, length 64
14:59:46.643870 IP bob.strongswan.org > moon.strongswan.org: ICMP echo reply, id 21, seq 1, length 64
14:59:47.095017 IP moon.strongswan.org > bob.strongswan.org: ICMP echo request, id 22542, seq 1, length 64
14:59:47.095068 IP bob.strongswan.org > moon.strongswan.org: ICMP echo reply, id 22542, seq 1, length 64


POST-TEST

moon# iptables -t nat -v -n -L
Chain PREROUTING (policy ACCEPT 103 packets, 6356 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 11 packets, 880 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   168 MASQUERADE  all  --  *      eth0    10.1.0.0/16          0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 11 packets, 880 bytes)
 pkts bytes target     prot opt in     out     source               destination         

moon# ipsec stop
Stopping strongSwan IPsec...

sun# ipsec stop
Stopping strongSwan IPsec...

moon# /etc/init.d/iptables stop 2> /dev/null
 * Stopping firewall ...                                                  [ ok ]

sun# /etc/init.d/iptables stop 2> /dev/null
 * Stopping firewall ...                                                  [ ok ]