TCPDUMP moon# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 & PRE-TEST moon# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] carol# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] moon# ipsec start Starting strongSwan 4.2.17 IPsec [starter]... carol# ipsec start Starting strongSwan 4.2.17 IPsec [starter]... carol# sleep 1 carol# ssh 10.1.0.10 hostname alice carol# ping -c 1 10.1.0.10 > /dev/null ping: sendmsg: Operation not permitted carol# sleep 2 TEST carol# ping -c 1 10.1.0.10 | grep '64 bytes from 10.1.0.10: icmp_seq' [YES] 64 bytes from 10.1.0.10: icmp_seq=1 ttl=63 time=0.758 ms carol# ping -c 1 10.1.0.1 | grep '64 bytes from 10.1.0.1: icmp_seq' [YES] 64 bytes from 10.1.0.1: icmp_seq=1 ttl=64 time=0.525 ms carol# ssh 10.1.0.10 hostname | grep 'alice' [YES] alice carol# cat /var/log/daemon.log | grep 'creating acquire job' [YES] Jul 20 16:28:21 carol charon: 04[KNL] creating acquire job for policy 192.168.0.100/32[tcp] === 10.1.0.10/32[tcp/ssh] with reqid {2} Jul 20 16:28:24 carol charon: 04[KNL] creating acquire job for policy 192.168.0.100/32[icmp/8] === 10.1.0.10/32[icmp] with reqid {1} carol# ipsec statusall | grep 'home-icmp.*INSTALLED' [YES] home-icmp{1}: INSTALLED, TUNNEL, ESP SPIs: c95bdd3c_i c467e92c_o carol# ipsec statusall | grep 'home-ssh.*INSTALLED' [YES] home-ssh{2}: INSTALLED, TUNNEL, ESP SPIs: c0f68a85_i c0f26088_o moon# ipsec statusall | grep 'rw-icmp.*INSTALLED' [YES] rw-icmp{2}: INSTALLED, TUNNEL, ESP SPIs: c467e92c_i c95bdd3c_o moon# ipsec statusall | grep 'rw-ssh.*INSTALLED' [YES] rw-ssh{1}: INSTALLED, TUNNEL, ESP SPIs: c0f26088_i c0f68a85_o moon# killall tcpdump moon# cat /tmp/tcpdump.log | grep 'IP carol.strongswan.org > moon.strongswan.org: ESP' [YES] 16:28:24.244425 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x1), length 100 16:28:24.247673 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x2), length 100 16:28:24.309114 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x3), length 100 16:28:24.310662 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x4), length 116 16:28:24.312135 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x5), length 884 16:28:24.331116 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x6), length 116 16:28:24.349791 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x7), length 244 16:28:24.358475 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x8), length 116 16:28:24.368922 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x9), length 148 16:28:24.369358 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0xa), length 164 16:28:24.376080 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0xb), length 484 16:28:24.380281 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0xc), length 228 16:28:24.384808 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0xd), length 164 16:28:24.408696 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0xe), length 100 16:28:24.409284 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0xf), length 132 16:28:24.409508 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x10), length 100 16:28:24.412042 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x11), length 100 16:28:37.361718 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc467e92c,seq=0x1), length 132 16:28:37.691692 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc467e92c,seq=0x2), length 132 16:28:38.052522 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x12), length 100 16:28:38.053224 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x13), length 100 16:28:38.116647 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x14), length 100 16:28:38.118070 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x15), length 116 16:28:38.119155 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x16), length 884 16:28:38.139635 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x17), length 116 16:28:38.182055 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x18), length 244 16:28:38.207968 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x19), length 116 16:28:38.219103 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x1a), length 148 16:28:38.220249 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x1b), length 164 16:28:38.238973 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x1c), length 484 16:28:38.251518 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x1d), length 228 16:28:38.265527 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x1e), length 164 16:28:38.361385 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x1f), length 100 16:28:38.362024 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x20), length 132 16:28:38.362418 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x21), length 100 16:28:38.379187 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xc0f26088,seq=0x22), length 100 moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > carol.strongswan.org: ESP' [YES] 16:28:24.245544 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x1), length 100 16:28:24.308711 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x2), length 116 16:28:24.310934 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x3), length 100 16:28:24.312374 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x4), length 100 16:28:24.330052 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x5), length 884 16:28:24.346715 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x6), length 244 16:28:24.355541 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x7), length 564 16:28:24.368811 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x8), length 100 16:28:24.369082 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x9), length 100 16:28:24.369120 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0xa), length 148 16:28:24.371538 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0xb), length 164 16:28:24.379395 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0xc), length 132 16:28:24.384562 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0xd), length 148 16:28:24.408382 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0xe), length 308 16:28:24.408428 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0xf), length 148 16:28:24.408451 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x10), length 164 16:28:24.411865 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x11), length 100 16:28:37.362127 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc95bdd3c,seq=0x1), length 132 16:28:37.691864 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc95bdd3c,seq=0x2), length 132 16:28:38.052948 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x12), length 100 16:28:38.116342 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x13), length 116 16:28:38.118333 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x14), length 100 16:28:38.119446 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x15), length 100 16:28:38.138478 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x16), length 884 16:28:38.161454 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x17), length 100 16:28:38.172636 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x18), length 244 16:28:38.182344 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x19), length 100 16:28:38.199189 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x1a), length 564 16:28:38.218622 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x1b), length 100 16:28:38.219455 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x1c), length 100 16:28:38.219603 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x1d), length 148 16:28:38.226642 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x1e), length 164 16:28:38.249290 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x1f), length 132 16:28:38.264845 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x20), length 148 16:28:38.359842 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x21), length 308 16:28:38.359945 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x22), length 148 16:28:38.360059 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x23), length 164 16:28:38.368851 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc0f68a85,seq=0x24), length 100 POST-TEST moon# ipsec stop Stopping strongSwan IPsec... carol# ipsec stop Stopping strongSwan IPsec... moon# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] carol# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ]