TCPDUMP alice# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 & moon# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 & PRE-TEST moon# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] carol# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] dave# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] moon# ipsec start Starting strongSwan 4.2.17 IPsec [starter]... carol# ipsec start Starting strongSwan 4.2.17 IPsec [starter]... dave# ipsec start Starting strongSwan 4.2.17 IPsec [starter]... carol# sleep 2 carol# ipsec up home 002 "home" #1: initiating Main Mode 104 "home" #1: STATE_MAIN_I1: initiate 003 "home" #1: ignoring Vendor ID payload [strongSwan 4.2.17] 003 "home" #1: received Vendor ID payload [XAUTH] 003 "home" #1: received Vendor ID payload [Dead Peer Detection] 106 "home" #1: STATE_MAIN_I2: sent MI2, expecting MR2 002 "home" #1: we have a cert and are sending it upon request 108 "home" #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 "home" #1: Peer ID is ID_FQDN: '@moon.strongswan.org' 002 "home" #1: crl not found 002 "home" #1: certificate status unknown 002 "home" #1: ISAKMP SA established 004 "home" #1: STATE_MAIN_I4: ISAKMP SA established 002 "home" #1: parsing XAUTH request 002 "home" #1: sending XAUTH reply 120 "home" #1: STATE_XAUTH_I1: sent XAUTH reply, expecting status 002 "home" #1: parsing XAUTH status 002 "home" #1: extended authentication was successful 002 "home" #1: sending XAUTH ack 002 "home" #1: sent XAUTH ack, established 004 "home" #1: STATE_XAUTH_I2: sent XAUTH ack, established 002 "home" #1: sending ModeCfg request 002 "home" #1: parsing ModeCfg reply 002 "home" #1: setting virtual IP source address to 10.3.0.1 002 "home" #1: received ModeCfg reply, established 004 "home" #1: STATE_MODE_CFG_I2: received ModeCfg reply, established 002 "home" #2: initiating Quick Mode ENCRYPT+TUNNEL+PFS+UP+XAUTHRSASIG {using isakmp#1} 112 "home" #2: STATE_QUICK_I1: initiate 002 "home" #2: sent QI2, IPsec SA established {ESP=>0xbe852650 <0x694535ce} 004 "home" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xbe852650 <0x694535ce} dave# ipsec up home 002 "home" #1: initiating Main Mode 104 "home" #1: STATE_MAIN_I1: initiate 003 "home" #1: ignoring Vendor ID payload [strongSwan 4.2.17] 003 "home" #1: received Vendor ID payload [XAUTH] 003 "home" #1: received Vendor ID payload [Dead Peer Detection] 106 "home" #1: STATE_MAIN_I2: sent MI2, expecting MR2 002 "home" #1: we have a cert and are sending it upon request 108 "home" #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 "home" #1: Peer ID is ID_FQDN: '@moon.strongswan.org' 002 "home" #1: crl not found 002 "home" #1: certificate status unknown 002 "home" #1: ISAKMP SA established 004 "home" #1: STATE_MAIN_I4: ISAKMP SA established 002 "home" #1: parsing XAUTH request 002 "home" #1: sending XAUTH reply 120 "home" #1: STATE_XAUTH_I1: sent XAUTH reply, expecting status 002 "home" #1: parsing XAUTH status 002 "home" #1: extended authentication was successful 002 "home" #1: sending XAUTH ack 002 "home" #1: sent XAUTH ack, established 004 "home" #1: STATE_XAUTH_I2: sent XAUTH ack, established 002 "home" #1: sending ModeCfg request 002 "home" #1: parsing ModeCfg reply 002 "home" #1: setting virtual IP source address to 10.3.0.2 002 "home" #1: received ModeCfg reply, established 004 "home" #1: STATE_MODE_CFG_I2: received ModeCfg reply, established 002 "home" #2: initiating Quick Mode ENCRYPT+TUNNEL+PFS+UP+XAUTHRSASIG {using isakmp#1} 112 "home" #2: STATE_QUICK_I1: initiate 002 "home" #2: sent QI2, IPsec SA established {ESP=>0x59e041f1 <0xfb43dceb} 004 "home" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x59e041f1 <0xfb43dceb} TEST carol# cat /var/log/auth.log | grep 'extended authentication was successful' [YES] Jul 20 15:36:48 carol pluto[20831]: "home" #1: extended authentication was successful dave# cat /var/log/auth.log | grep 'extended authentication was successful' [YES] Jul 20 15:36:52 dave pluto[9207]: "home" #1: extended authentication was successful moon# cat /var/log/auth.log | grep 'carol.*extended authentication was successful' [YES] Jul 20 15:36:47 moon pluto[27180]: "rw-carol"[1] 192.168.0.100 #1: extended authentication was successful moon# cat /var/log/auth.log | grep 'dave.*extended authentication was successful' [YES] Jul 20 15:36:51 moon pluto[27180]: "rw-dave"[2] 192.168.0.200 #3: extended authentication was successful carol# ipsec status | grep 'home.*STATE_QUICK_I2.*IPsec SA established' [YES] 000 #2: "home" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 976s; newest IPSEC; eroute owner dave# ipsec status | grep 'home.*STATE_QUICK_I2.*IPsec SA established' [YES] 000 #2: "home" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1003s; newest IPSEC; eroute owner moon# ipsec status | grep 'carol.*STATE_QUICK_R2.*IPsec SA established' [YES] 000 #2: "rw-carol"[1] 192.168.0.100 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1104s; newest IPSEC; eroute owner moon# ipsec status | grep 'dave.*STATE_QUICK_R2.*IPsec SA established' [YES] 000 #4: "rw-dave"[2] 192.168.0.200 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1108s; newest IPSEC; eroute owner carol# ping -c 1 10.1.0.10 | grep '64 bytes from 10.1.0.10: icmp_seq=1' [YES] 64 bytes from 10.1.0.10: icmp_seq=1 ttl=63 time=0.734 ms dave# ping -c 1 10.1.0.10 | grep '64 bytes from 10.1.0.10: icmp_seq=1' [YES] 64 bytes from 10.1.0.10: icmp_seq=1 ttl=63 time=1.76 ms moon# killall tcpdump moon# cat /tmp/tcpdump.log | grep 'IP carol.strongswan.org > moon.strongswan.org: ESP' [YES] 15:36:57.102439 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xbe852650,seq=0x1), length 132 moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > carol.strongswan.org: ESP' [YES] 15:36:57.102903 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0x694535ce,seq=0x1), length 132 moon# cat /tmp/tcpdump.log | grep 'IP dave.strongswan.org > moon.strongswan.org: ESP' [YES] 15:36:57.450309 IP dave.strongswan.org > moon.strongswan.org: ESP(spi=0x59e041f1,seq=0x1), length 132 moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > dave.strongswan.org: ESP' [YES] 15:36:57.451715 IP moon.strongswan.org > dave.strongswan.org: ESP(spi=0xfb43dceb,seq=0x1), length 132 alice# killall tcpdump alice# cat /tmp/tcpdump.log | grep 'IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request' [YES] 15:36:57.338040 IP carol1.strongswan.org > alice.strongswan.org: ICMP echo request, id 43601, seq 1, length 64 alice# cat /tmp/tcpdump.log | grep 'IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply' [YES] 15:36:57.342524 IP alice.strongswan.org > carol1.strongswan.org: ICMP echo reply, id 43601, seq 1, length 64 alice# cat /tmp/tcpdump.log | grep 'IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request' [YES] 15:36:57.682545 IP dave1.strongswan.org > alice.strongswan.org: ICMP echo request, id 15652, seq 1, length 64 alice# cat /tmp/tcpdump.log | grep 'IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply' [YES] 15:36:57.682611 IP alice.strongswan.org > dave1.strongswan.org: ICMP echo reply, id 15652, seq 1, length 64 POST-TEST moon# ipsec stop Stopping strongSwan IPsec... carol# ipsec stop Stopping strongSwan IPsec... dave# ipsec stop Stopping strongSwan IPsec... moon# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] carol# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] dave# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] carol# ip addr del 10.3.0.1/32 dev eth0 dave# ip addr del 10.3.0.2/32 dev eth0