TCPDUMP alice# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 & sun# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 & bob# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 & PRE-TEST moon# echo 1 > /proc/sys/net/ipv4/ip_forward sun# echo 1 > /proc/sys/net/ipv4/ip_forward winnetou# ip route add 10.1.0.0/16 via 192.168.0.1 winnetou# ip route add 10.2.0.0/16 via 192.168.0.2 alice# ipsec start Starting strongSwan 4.3.6 IPsec [starter]... moon# ipsec start Starting strongSwan 4.3.6 IPsec [starter]... sun# ipsec start Starting strongSwan 4.3.6 IPsec [starter]... bob# ipsec start Starting strongSwan 4.3.6 IPsec [starter]... moon# sleep 2 moon# ping -n -c 3 -s 8184 -p deadbeef 10.1.0.10 ping: sendmsg: Operation not permitted PATTERN: 0xdeadbeef PING 10.1.0.10 (10.1.0.10) 8184(8212) bytes of data. 8192 bytes from 10.1.0.10: icmp_seq=2 ttl=64 time=4.87 ms 8192 bytes from 10.1.0.10: icmp_seq=3 ttl=64 time=2.24 ms --- 10.1.0.10 ping statistics --- 3 packets transmitted, 2 received, 33% packet loss, time 2009ms rtt min/avg/max/mdev = 2.243/3.561/4.879/1.318 ms moon# ping -n -c 3 -s 8184 -p deadbeef 192.168.0.2 ping: sendmsg: Operation not permitted PATTERN: 0xdeadbeef PING 192.168.0.2 (192.168.0.2) 8184(8212) bytes of data. 8192 bytes from 192.168.0.2: icmp_seq=2 ttl=64 time=5.16 ms 8192 bytes from 192.168.0.2: icmp_seq=3 ttl=64 time=2.25 ms --- 192.168.0.2 ping statistics --- 3 packets transmitted, 2 received, 33% packet loss, time 2019ms rtt min/avg/max/mdev = 2.251/3.707/5.164/1.457 ms bob# ping -n -c 3 -s 8184 -p deadbeef 10.2.0.1 ping: sendmsg: Operation not permitted PATTERN: 0xdeadbeef PING 10.2.0.1 (10.2.0.1) 8184(8212) bytes of data. 8192 bytes from 10.2.0.1: icmp_seq=2 ttl=64 time=1.94 ms 8192 bytes from 10.2.0.1: icmp_seq=3 ttl=64 time=1.84 ms --- 10.2.0.1 ping statistics --- 3 packets transmitted, 2 received, 33% packet loss, time 2009ms rtt min/avg/max/mdev = 1.845/1.896/1.948/0.067 ms TEST moon# cat /var/log/daemon.log | grep 'creating acquire job' [YES] Feb 28 00:00:28 moon charon: 06[KNL] creating acquire job for policy 10.1.0.1/32[udp/36782] === 10.1.0.10/32[udp/1025] with reqid {1} Feb 28 00:00:31 moon charon: 06[KNL] creating acquire job for policy 192.168.0.1/32[udp/34892] === 192.168.0.2/32[udp/1025] with reqid {2} bob# cat /var/log/daemon.log | grep 'creating acquire job' [YES] Feb 28 00:00:34 bob charon: 06[KNL] creating acquire job for policy 10.2.0.10/32[udp/46470] === 10.2.0.1/32[udp/1025] with reqid {1} moon# ipsec statusall | grep 'alice.*INSTALLED, TRANSPORT' [YES] alice{1}: INSTALLED, TRANSPORT, ESP SPIs: c912a27c_i cca58a5c_o, IPCOMP CPIs: 3677_i 6dbc_o moon# ipsec statusall | grep 'sun.*INSTALLED, TRANSPORT' [YES] sun{2}: INSTALLED, TRANSPORT, ESP SPIs: ce638b30_i cacebaf2_o, IPCOMP CPIs: af03_i caa3_o alice# ipsec statusall | grep 'remote.*INSTALLED, TRANSPORT' [YES] remote{1}: INSTALLED, TRANSPORT, ESP SPIs: cca58a5c_i c912a27c_o, IPCOMP CPIs: 6dbc_i 3677_o sun# ipsec statusall | grep 'remote.*INSTALLED, TRANSPORT' [YES] remote{1}: INSTALLED, TRANSPORT, ESP SPIs: cacebaf2_i ce638b30_o, IPCOMP CPIs: caa3_i af03_o remote{2}: INSTALLED, TRANSPORT, ESP SPIs: cadb6d9b_i c3aee183_o, IPCOMP CPIs: 2a2b_i 2c44_o bob# ipsec statusall | grep 'sun.*INSTALLED, TRANSPORT' [YES] sun{1}: INSTALLED, TRANSPORT, ESP SPIs: c3aee183_i cadb6d9b_o, IPCOMP CPIs: 2c44_i 2a2b_o alice# killall tcpdump alice# cat /tmp/tcpdump.log | grep 'IP moon1.strongswan.org > alice.strongswan.org: ESP' [YES] 00:00:29.679363 IP moon1.strongswan.org > alice.strongswan.org: ESP(spi=0xcca58a5c,seq=0x1), length 100 00:00:30.686872 IP moon1.strongswan.org > alice.strongswan.org: ESP(spi=0xcca58a5c,seq=0x2), length 100 alice# cat /tmp/tcpdump.log | grep 'IP alice.strongswan.org > moon1.strongswan.org: ESP' [YES] 00:00:29.680355 IP alice.strongswan.org > moon1.strongswan.org: ESP(spi=0xc912a27c,seq=0x1), length 100 00:00:30.687733 IP alice.strongswan.org > moon1.strongswan.org: ESP(spi=0xc912a27c,seq=0x2), length 100 sun# killall tcpdump sun# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org > sun.strongswan.org: ESP' [YES] 00:00:32.854671 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0xcacebaf2,seq=0x1), length 100 00:00:33.865554 IP moon.strongswan.org > sun.strongswan.org: ESP(spi=0xcacebaf2,seq=0x2), length 100 sun# cat /tmp/tcpdump.log | grep 'IP sun.strongswan.org > moon.strongswan.org: ESP' [YES] 00:00:32.855684 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0xce638b30,seq=0x1), length 100 00:00:33.866424 IP sun.strongswan.org > moon.strongswan.org: ESP(spi=0xce638b30,seq=0x2), length 100 bob# killall tcpdump bob# cat /tmp/tcpdump.log | grep 'IP bob.strongswan.org > sun1.strongswan.org: ESP' [YES] 00:00:35.970313 IP bob.strongswan.org > sun1.strongswan.org: ESP(spi=0xcadb6d9b,seq=0x1), length 100 00:00:36.977862 IP bob.strongswan.org > sun1.strongswan.org: ESP(spi=0xcadb6d9b,seq=0x2), length 100 bob# cat /tmp/tcpdump.log | grep 'IP sun1.strongswan.org > bob.strongswan.org: ESP' [YES] 00:00:35.971412 IP sun1.strongswan.org > bob.strongswan.org: ESP(spi=0xc3aee183,seq=0x1), length 100 00:00:36.978906 IP sun1.strongswan.org > bob.strongswan.org: ESP(spi=0xc3aee183,seq=0x2), length 100 POST-TEST alice# ipsec stop Stopping strongSwan IPsec... moon# ipsec stop Stopping strongSwan IPsec... sun# ipsec stop Stopping strongSwan IPsec... bob# ipsec stop Stopping strongSwan IPsec... winnetou# ip route del 10.1.0.0/16 via 192.168.0.1 winnetou# ip route del 10.2.0.0/16 via 192.168.0.2