TCPDUMP

moon# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 &

PRE-TEST

moon# echo 1 > /proc/sys/net/ipv4/ip_forward

carol# ipsec start
Starting strongSwan 4.3.6 IPsec [starter]...

moon# ipsec start
Starting strongSwan 4.3.6 IPsec [starter]...

carol# sleep 2

carol# ipsec up home
002 "home" #1: initiating Main Mode
104 "home" #1: STATE_MAIN_I1: initiate
003 "home" #1: ignoring Vendor ID payload [strongSwan]
003 "home" #1: received Vendor ID payload [XAUTH]
003 "home" #1: received Vendor ID payload [Dead Peer Detection]
106 "home" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "home" #1: we have a cert and are sending it upon request
108 "home" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "home" #1: Peer ID is ID_FQDN: 'moon.strongswan.org'
002 "home" #1: crl not found
002 "home" #1: certificate status unknown
002 "home" #1: ISAKMP SA established
004 "home" #1: STATE_MAIN_I4: ISAKMP SA established
002 "home" #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
112 "home" #2: STATE_QUICK_I1: initiate
002 "home" #2: sent QI2, IPsec SA established {ESP=>0x376b80cc <0xbbc4a9b8}
004 "home" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x376b80cc <0xbbc4a9b8}


TEST

carol# ipsec status | grep 'home.*STATE_QUICK_I2.*IPsec SA established' [YES]
000 #2: "home" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 950s; newest IPSEC; eroute owner

moon# ipsec status | grep 'rw.*STATE_QUICK_R2.*IPsec SA established' [YES]
000 #2: "rw"[1] 192.168.0.100 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1109s; newest IPSEC; eroute owner

carol# ping -c 1 -s 120 -p deadbeef 10.1.0.10 | grep '128 bytes from 10.1.0.10: icmp_seq=1' [YES]
128 bytes from 10.1.0.10: icmp_seq=1 ttl=63 time=0.399 ms

carol# ipsec statusall | grep 'ESP proposal: AES_CBC_256/AES_XCBC_96' [YES]
000 "home":   ESP proposal: AES_CBC_256/AES_XCBC_96/<Phase1>

moon# ipsec statusall | grep 'ESP proposal: AES_CBC_256/AES_XCBC_96' [YES]
000 "rw"[1]:   ESP proposal: AES_CBC_256/AES_XCBC_96/<Phase1>

carol# ip xfrm state | grep 'auth xcbc(aes)' [YES]
	auth xcbc(aes) 0x80ded487537a53087ce3cdfb5f781973
	auth xcbc(aes) 0x2ff9753bce9bd39dbd567d87cdecf11a

moon# ip xfrm state | grep 'auth xcbc(aes)' [YES]
	auth xcbc(aes) 0x2ff9753bce9bd39dbd567d87cdecf11a
	auth xcbc(aes) 0x80ded487537a53087ce3cdfb5f781973

moon# killall tcpdump

moon# cat /tmp/tcpdump.log | grep 'IP carol.strongswan.org > moon.strongswan.org: ESP.*length 196' [YES]
22:57:54.391125 IP carol.strongswan.org > moon.strongswan.org: ESP(spi=0x376b80cc,seq=0x1), length 196

moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > carol.strongswan.org: ESP.*length 196' [YES]
22:57:54.391359 IP moon.strongswan.org > carol.strongswan.org: ESP(spi=0xbbc4a9b8,seq=0x1), length 196


POST-TEST

moon# ipsec stop
Stopping strongSwan IPsec...

carol# ipsec stop
Stopping strongSwan IPsec...