TCPDUMP

moon# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 &

PRE-TEST

moon# /etc/init.d/iptables start 2> /dev/null
 * Caching service dependencies ...                                       [ ok ]
 * Starting firewall ...                                                  [ ok ]

carol# /etc/init.d/iptables start 2> /dev/null
 * Caching service dependencies ...                                       [ ok ]
 * Starting firewall ...                                                  [ ok ]

dave# /etc/init.d/iptables start 2> /dev/null
 * Caching service dependencies ...                                       [ ok ]
 * Starting firewall ...                                                  [ ok ]

carol# rm /etc/ipsec.d/cacerts/*

moon# ipsec start
Starting strongSwan 4.2.17 IPsec [starter]...

carol# ipsec start
Starting strongSwan 4.2.17 IPsec [starter]...

dave# ipsec start
Starting strongSwan 4.2.17 IPsec [starter]...

carol# sleep 1

carol# ipsec up home
initiating IKE_SA home[1] to 192.168.0.1
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.100[500] to 192.168.0.1[500]
received packet: from 192.168.0.1[500] to 192.168.0.100[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
received cert request for unknown ca with keyid ae:09:6b:87:b4:48:86:d3:b8:20:97:86:23:da:bd:0e:ae:22:eb:bc
authentication of 'carol@strongswan.org' (myself) with pre-shared key
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]
sending packet: from 192.168.0.100[4500] to 192.168.0.1[4500]
received packet: from 192.168.0.1[4500] to 192.168.0.100[4500]
parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
authentication of '192.168.0.1' with pre-shared key successful
scheduling reauthentication in 3284s
maximum IKE_SA lifetime 3464s
IKE_SA home[1] established between 192.168.0.100[carol@strongswan.org]...192.168.0.1[192.168.0.1]

dave# ipsec up home
initiating IKE_SA home[1] to 192.168.0.1
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.200[500] to 192.168.0.1[500]
received packet: from 192.168.0.1[500] to 192.168.0.200[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
authentication of 'dave@strongswan.org' (myself) with RSA signature successful
sending end entity cert "C=CH, O=Linux strongSwan, OU=Accounting, CN=dave@strongswan.org"
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi CERT CERTREQ IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]
sending packet: from 192.168.0.200[4500] to 192.168.0.1[4500]
received packet: from 192.168.0.1[4500] to 192.168.0.200[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
received end entity cert "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
  using certificate "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
  using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
checking certificate status of "C=CH, O=Linux strongSwan, CN=moon.strongswan.org"
  fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
  using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
  crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
  crl is valid: until Aug 19 13:47:17 2009
certificate status is good
authentication of 'moon.strongswan.org' with RSA signature successful
scheduling reauthentication in 3248s
maximum IKE_SA lifetime 3428s
IKE_SA home[1] established between 192.168.0.200[dave@strongswan.org]...192.168.0.1[moon.strongswan.org]


TEST

moon# cat /var/log/daemon.log | grep 'authentication of 'carol@strongswan.org' with pre-shared key successful' [YES]
Jul 20 16:42:53 moon charon: 13[IKE] authentication of 'carol@strongswan.org' with pre-shared key successful 

moon# cat /var/log/daemon.log | grep 'authentication of '192.168.0.1' (myself) with pre-shared key' [YES]
Jul 20 16:42:53 moon charon: 13[IKE] authentication of '192.168.0.1' (myself) with pre-shared key 

moon# ipsec statusall | grep 'rw-psk.*INSTALLED' [YES]
      rw-psk{1}:  INSTALLED, TUNNEL, ESP SPIs: cdd56d9c_i c852ebea_o

carol# ipsec statusall | grep 'home.*ESTABLISHED' [YES]
        home[1]: ESTABLISHED 3 seconds ago, 192.168.0.100[carol@strongswan.org]...192.168.0.1[192.168.0.1]

moon# cat /var/log/daemon.log | grep 'authentication of 'dave@strongswan.org' with RSA signature successful' [YES]
Jul 20 16:42:54 moon charon: 08[IKE] authentication of 'dave@strongswan.org' with RSA signature successful 

moon# cat /var/log/daemon.log | grep 'authentication of 'moon.strongswan.org' (myself) with RSA signature successful' [YES]
Jul 20 16:42:54 moon charon: 08[IKE] authentication of 'moon.strongswan.org' (myself) with RSA signature successful 

moon# ipsec statusall | grep 'rw-rsasig.*INSTALLED' [YES]
   rw-rsasig{2}:  INSTALLED, TUNNEL, ESP SPIs: c8ca2a42_i ce7f5bc5_o

dave# ipsec statusall | grep 'home.*ESTABLISHED' [YES]
        home[1]: ESTABLISHED 3 seconds ago, 192.168.0.200[dave@strongswan.org]...192.168.0.1[moon.strongswan.org]

carol# ping -c 1 10.1.0.10 | grep '64 bytes from 10.1.0.10: icmp_seq=1' [YES]
64 bytes from 10.1.0.10: icmp_seq=1 ttl=63 time=1.53 ms

dave# ping -c 1 10.1.0.10 | grep '64 bytes from 10.1.0.10: icmp_seq=1' [YES]
64 bytes from 10.1.0.10: icmp_seq=1 ttl=63 time=0.553 ms

moon# killall tcpdump

moon# cat /tmp/tcpdump.log | grep 'IP carol.strongswan.org > moon.strongswan.org: ESP' [YES]
16:42:57.896053 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0xcdd56d9c,seq=0x1), length 132

moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > carol.strongswan.org: ESP' [YES]
16:42:57.897398 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xc852ebea,seq=0x1), length 132

moon# cat /tmp/tcpdump.log | grep 'IP dave.strongswan.org > moon.strongswan.org: ESP' [YES]
16:42:58.113944 IP dave.strongswan.org > moon.strongswan.org: ESP(spi=0xc8ca2a42,seq=0x1), length 132

moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > dave.strongswan.org: ESP' [YES]
16:42:58.114276 IP moon.strongswan.org > dave.strongswan.org: ESP(spi=0xce7f5bc5,seq=0x1), length 132


POST-TEST

moon# ipsec stop
Stopping strongSwan IPsec...

carol# ipsec stop
Stopping strongSwan IPsec...

dave# ipsec stop
Stopping strongSwan IPsec...

moon# /etc/init.d/iptables stop 2> /dev/null
 * Stopping firewall ...                                                  [ ok ]

carol# /etc/init.d/iptables stop 2> /dev/null
 * Stopping firewall ...                                                  [ ok ]

dave# /etc/init.d/iptables stop 2> /dev/null
 * Stopping firewall ...                                                  [ ok ]