TCPDUMP alice# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 & sun# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 & bob# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 & PRE-TEST moon# echo 1 > /proc/sys/net/ipv4/ip_forward sun# echo 1 > /proc/sys/net/ipv4/ip_forward winnetou# ip route add 10.1.0.0/16 via 192.168.0.1 winnetou# ip route add 10.2.0.0/16 via 192.168.0.2 alice# ipsec start Starting strongSwan 4.2.17 IPsec [starter]... moon# ipsec start Starting strongSwan 4.2.17 IPsec [starter]... sun# ipsec start Starting strongSwan 4.2.17 IPsec [starter]... bob# ipsec start Starting strongSwan 4.2.17 IPsec [starter]... moon# sleep 2 moon# ping -n -c 3 -s 8184 -p deadbeef 10.1.0.10 ping: sendmsg: Operation not permitted PATTERN: 0xdeadbeef PING 10.1.0.10 (10.1.0.10) 8184(8212) bytes of data. 8192 bytes from 10.1.0.10: icmp_seq=2 ttl=64 time=1.87 ms 8192 bytes from 10.1.0.10: icmp_seq=3 ttl=64 time=2.00 ms --- 10.1.0.10 ping statistics --- 3 packets transmitted, 2 received, 33% packet loss, time 2010ms rtt min/avg/max/mdev = 1.876/1.940/2.004/0.064 ms moon# ping -n -c 3 -s 8184 -p deadbeef 192.168.0.2 ping: sendmsg: Operation not permitted PATTERN: 0xdeadbeef PING 192.168.0.2 (192.168.0.2) 8184(8212) bytes of data. 8192 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=1.92 ms 8192 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=1.73 ms --- 192.168.0.2 ping statistics --- 3 packets transmitted, 2 received, 33% packet loss, time 2004ms rtt min/avg/max/mdev = 1.739/1.834/1.929/0.095 ms bob# ping -n -c 3 -s 8184 -p deadbeef 10.2.0.1 ping: sendmsg: Operation not permitted PATTERN: 0xdeadbeef PING 10.2.0.1 (10.2.0.1) 8184(8212) bytes of data. 8192 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=1.81 ms 8192 bytes from 10.2.0.1: icmp_seq=3 ttl=64 time=1.99 ms --- 10.2.0.1 ping statistics --- 3 packets transmitted, 2 received, 33% packet loss, time 2015ms rtt min/avg/max/mdev = 1.817/1.904/1.991/0.087 ms TEST moon# cat /var/log/daemon.log | grep 'creating acquire job' [YES] Jul 20 15:39:24 moon charon: 04[KNL] creating acquire job for policy 10.1.0.1/32[udp/57711] === 10.1.0.10/32[udp/1025] with reqid {1} Jul 20 15:39:28 moon charon: 04[KNL] creating acquire job for policy 192.168.0.1/32[udp/41255] === 192.168.0.2/32[udp/1025] with reqid {2} bob# cat /var/log/daemon.log | grep 'creating acquire job' [YES] Jul 20 15:39:31 bob charon: 04[KNL] creating acquire job for policy 10.2.0.10/32[udp/60747] === 10.2.0.1/32[udp/1025] with reqid {1} moon# ipsec statusall | grep 'alice.*INSTALLED, TRANSPORT' [YES] alice{1}: INSTALLED, TRANSPORT, ESP SPIs: cb794ed6_i cbb0fe03_o, IPCOMP CPIs: eb7d_i 7364_o moon# ipsec statusall | grep 'sun.*INSTALLED, TRANSPORT' [YES] sun{2}: INSTALLED, TRANSPORT, ESP SPIs: cf6f216c_i c7fa94d1_o, IPCOMP CPIs: ec59_i 77f7_o alice# ipsec statusall | grep 'remote.*INSTALLED, TRANSPORT' [YES] remote{1}: INSTALLED, TRANSPORT, ESP SPIs: cbb0fe03_i cb794ed6_o, IPCOMP CPIs: 7364_i eb7d_o sun# ipsec statusall | grep 'remote.*INSTALLED, TRANSPORT' [YES] remote{1}: INSTALLED, TRANSPORT, ESP SPIs: c7fa94d1_i cf6f216c_o, IPCOMP CPIs: 77f7_i ec59_o remote{2}: INSTALLED, TRANSPORT, ESP SPIs: cd185177_i c14093d5_o, IPCOMP CPIs: 2a64_i d84b_o bob# ipsec statusall | grep 'sun.*INSTALLED, TRANSPORT' [YES] sun{1}: INSTALLED, TRANSPORT, ESP SPIs: c14093d5_i cd185177_o, IPCOMP CPIs: d84b_i 2a64_o alice# killall tcpdump alice# cat /tmp/tcpdump.log | grep 'IP moon1.strongswan.org > alice.strongswan.org: ESP' [YES] 15:39:26.135731 IP moon1.strongswan.org > alice.strongswan.org: ESP(spi=0xcbb0fe03,seq=0x1), length 100 15:39:27.137150 IP moon1.strongswan.org > alice.strongswan.org: ESP(spi=0xcbb0fe03,seq=0x2), length 116 alice# cat /tmp/tcpdump.log | grep 'IP alice.strongswan.org > moon1.strongswan.org: ESP' [YES] 15:39:26.136621 IP alice.strongswan.org > moon1.strongswan.org: ESP(spi=0xcb794ed6,seq=0x1), length 100 15:39:27.137953 IP alice.strongswan.org > moon1.strongswan.org: ESP(spi=0xcb794ed6,seq=0x2), length 100 sun# killall tcpdump sun# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > sun.strongswan.org: ESP' [YES] 15:39:29.578055 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0xc7fa94d1,seq=0x1), length 116 15:39:30.578677 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0xc7fa94d1,seq=0x2), length 116 sun# cat /tmp/tcpdump.log | grep 'IP sun.strongswan.org > moon.strongswan.org: ESP' [YES] 15:39:29.578977 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0xcf6f216c,seq=0x1), length 100 15:39:30.579485 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0xcf6f216c,seq=0x2), length 100 bob# killall tcpdump bob# cat /tmp/tcpdump.log | grep 'IP bob.strongswan.org > sun1.strongswan.org: ESP' [YES] 15:39:32.952420 IP bob.strongswan.org > sun1.strongswan.org: ESP(spi=0xcd185177,seq=0x1), length 116 15:39:33.962901 IP bob.strongswan.org > sun1.strongswan.org: ESP(spi=0xcd185177,seq=0x2), length 100 bob# cat /tmp/tcpdump.log | grep 'IP sun1.strongswan.org > bob.strongswan.org: ESP' [YES] 15:39:32.953479 IP sun1.strongswan.org > bob.strongswan.org: ESP(spi=0xc14093d5,seq=0x1), length 100 15:39:33.964172 IP sun1.strongswan.org > bob.strongswan.org: ESP(spi=0xc14093d5,seq=0x2), length 100 POST-TEST alice# ipsec stop Stopping strongSwan IPsec... moon# ipsec stop Stopping strongSwan IPsec... sun# ipsec stop Stopping strongSwan IPsec... bob# ipsec stop Stopping strongSwan IPsec... winnetou# ip route del 10.1.0.0/16 via 192.168.0.1 winnetou# ip route del 10.2.0.0/16 via 192.168.0.2