TCPDUMP

sun# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 &
bob# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 &

PRE-TEST

moon# /etc/init.d/iptables start 2> /dev/null
 * Caching service dependencies ...                                       [ ok ]
 * Starting firewall ...                                                  [ ok ]

sun# /etc/init.d/iptables start 2> /dev/null
 * Caching service dependencies ...                                       [ ok ]
 * Starting firewall ...                                                  [ ok ]

moon# ipsec start
Starting strongSwan 4.3.6 IPsec [starter]...

sun# ipsec start
Starting strongSwan 4.3.6 IPsec [starter]...

moon# sleep 2

moon# ipsec up host-net
002 "host-net" #1: initiating Main Mode
104 "host-net" #1: STATE_MAIN_I1: initiate
003 "host-net" #1: ignoring Vendor ID payload [strongSwan]
003 "host-net" #1: received Vendor ID payload [XAUTH]
003 "host-net" #1: received Vendor ID payload [Dead Peer Detection]
106 "host-net" #1: STATE_MAIN_I2: sent MI2, expecting MR2
002 "host-net" #1: we have a cert and are sending it upon request
108 "host-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "host-net" #1: Peer ID is ID_FQDN: 'sun.strongswan.org'
002 "host-net" #1: crl not found
002 "host-net" #1: certificate status unknown
002 "host-net" #1: ISAKMP SA established
004 "host-net" #1: STATE_MAIN_I4: ISAKMP SA established
002 "host-net" #2: initiating Quick Mode PUBKEY+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
112 "host-net" #2: STATE_QUICK_I1: initiate
002 "host-net" #2: sent QI2, IPsec SA established {ESP=>0x90fd8bdb <0x28980e2c}
004 "host-net" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x90fd8bdb <0x28980e2c}


TEST

moon# ipsec status | grep 'host-net.*STATE_QUICK_I2.*IPsec SA established' [YES]
000 #2: "host-net" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 949s; newest IPSEC; eroute owner

sun# ipsec status | grep 'host-net.*STATE_QUICK_R2.*IPsec SA established' [YES]
000 #2: "host-net"[2] 192.168.0.1 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1110s; newest IPSEC; eroute owner

moon# ping -c 1 10.2.0.10 | grep '64 bytes from 10.2.0.10: icmp_seq=1' [YES]
64 bytes from 10.2.0.10: icmp_seq=1 ttl=63 time=15.6 ms

bob# ping -c 1 192.168.0.1 | grep '64 bytes from 192.168.0.1: icmp_seq=1' [YES]
64 bytes from 192.168.0.1: icmp_seq=1 ttl=63 time=0.929 ms

alice# ping -c 1 10.2.0.10 | grep '64 bytes from 10.2.0.10: icmp_seq=1' [YES]
64 bytes from 10.2.0.10: icmp_seq=1 ttl=62 time=11.4 ms

venus# ping -c 1 10.2.0.10 | grep '64 bytes from 10.2.0.10: icmp_seq=1' [YES]
64 bytes from 10.2.0.10: icmp_seq=1 ttl=62 time=12.6 ms

sun# killall tcpdump

sun# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > sun.strongswan.org: ESP' [YES]
23:26:19.933586 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0x90fd8bdb,seq=0x1), length 132
23:26:20.125212 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0x90fd8bdb,seq=0x2), length 132
23:26:20.286807 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0x90fd8bdb,seq=0x3), length 132
23:26:20.497678 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0x90fd8bdb,seq=0x4), length 132

sun# cat /tmp/tcpdump.log | grep 'IP sun.strongswan.org > moon.strongswan.org: ESP' [YES]
23:26:19.949008 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0x28980e2c,seq=0x1), length 132
23:26:20.124704 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0x28980e2c,seq=0x2), length 132
23:26:20.287405 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0x28980e2c,seq=0x3), length 132
23:26:20.498888 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0x28980e2c,seq=0x4), length 132

bob# killall tcpdump

bob# cat /tmp/tcpdump.log | grep 'ICMP' [YES]
23:26:19.856845 IP moon.strongswan.org > bob.strongswan.org: ICMP echo request, id 52813, seq 1, length 64
23:26:19.860792 IP bob.strongswan.org > moon.strongswan.org: ICMP echo reply, id 52813, seq 1, length 64
23:26:20.035439 IP bob.strongswan.org > moon.strongswan.org: ICMP echo request, id 53520, seq 1, length 64
23:26:20.036305 IP moon.strongswan.org > bob.strongswan.org: ICMP echo reply, id 53520, seq 1, length 64
23:26:20.198091 IP moon.strongswan.org > bob.strongswan.org: ICMP echo request, id 33045, seq 1, length 64
23:26:20.198129 IP bob.strongswan.org > moon.strongswan.org: ICMP echo reply, id 33045, seq 1, length 64
23:26:20.409168 IP moon.strongswan.org > bob.strongswan.org: ICMP echo request, id 46862, seq 1, length 64
23:26:20.409219 IP bob.strongswan.org > moon.strongswan.org: ICMP echo reply, id 46862, seq 1, length 64


POST-TEST

moon# iptables -t nat -v -n -L
Chain PREROUTING (policy ACCEPT 131 packets, 8068 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 11 packets, 912 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   168 MASQUERADE  all  --  *      eth0    10.1.0.0/16          0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 11 packets, 912 bytes)
 pkts bytes target     prot opt in     out     source               destination         

moon# ipsec stop
Stopping strongSwan IPsec...

sun# ipsec stop
Stopping strongSwan IPsec...

moon# /etc/init.d/iptables stop 2> /dev/null
 * Stopping firewall ...                                                  [ ok ]

sun# /etc/init.d/iptables stop 2> /dev/null
 * Stopping firewall ...                                                  [ ok ]