TCPDUMP moon# tcpdump -i eth0 not port ssh and not port domain and not arp > /tmp/tcpdump.log 2>&1 & PRE-TEST alice# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] moon# /etc/init.d/iptables start 2> /dev/null * Starting firewall ... [ ok ] carol# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] sun# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] bob# /etc/init.d/iptables start 2> /dev/null * Caching service dependencies ... [ ok ] * Starting firewall ... [ ok ] moon# iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p udp -j SNAT --to-source 192.168.0.1:1100-1200 moon# iptables -t nat -A POSTROUTING -o eth0 -s 10.1.0.0/16 -p tcp -j SNAT --to-source 192.168.0.1:2000-2100 moon# iptables -A FORWARD -i eth1 -o eth0 -s 10.1.0.0/16 -j ACCEPT moon# iptables -A FORWARD -i eth0 -o eth1 -d 10.1.0.0/16 -j ACCEPT sun# iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p udp -j SNAT --to-source 192.168.0.2:1200-1300 sun# iptables -t nat -A POSTROUTING -o eth0 -s 10.2.0.0/16 -p tcp -j SNAT --to-source 192.168.0.2:2000-2100 sun# iptables -A FORWARD -i eth1 -o eth0 -s 10.2.0.0/16 -j ACCEPT sun# iptables -A FORWARD -i eth0 -o eth1 -d 10.2.0.0/16 -j ACCEPT carol# ipsec start Starting strongSwan 4.3.6 IPsec [starter]... carol# sleep 1 bob# ipsec start Starting strongSwan 4.3.6 IPsec [starter]... bob# sleep 1 alice# ipsec start Starting strongSwan 4.3.6 IPsec [starter]... alice# sleep 2 TEST alice# ipsec statusall | grep 'medsrv.*ESTABLISHED' [YES] medsrv[2]: ESTABLISHED 2 seconds ago, 10.1.0.10[6cu1UTVw@medsrv.org]...192.168.0.100[carol@strongswan.org] bob# ipsec statusall | grep 'medsrv.*ESTABLISHED' [YES] medsrv[1]: ESTABLISHED 4 seconds ago, 10.2.0.10[av9oEPMz@medsrv.org]...192.168.0.100[carol@strongswan.org] carol# ipsec statusall | grep 'medsrv.*ESTABLISHED.*192.168.0.1.*6cu1UTVw@medsrv.org' [YES] medsrv[2]: ESTABLISHED 3 seconds ago, 192.168.0.100[carol@strongswan.org]...192.168.0.1[6cu1UTVw@medsrv.org] carol# ipsec statusall | grep 'medsrv.*ESTABLISHED.*192.168.0.2.*v9oEPMz@medsrv.org' [YES] medsrv[1]: ESTABLISHED 4 seconds ago, 192.168.0.100[carol@strongswan.org]...192.168.0.2[av9oEPMz@medsrv.org] alice# ipsec statusall | grep 'peer.*ESTABLISHED' [YES] peer[1]: ESTABLISHED 1 second ago, 10.1.0.10[alice@strongswan.org]...192.168.0.2[bob@strongswan.org] bob# ipsec statusall | grep 'peer.*ESTABLISHED' [YES] peer[2]: ESTABLISHED 1 second ago, 10.2.0.10[bob@strongswan.org]...192.168.0.1[alice@strongswan.org] alice# ipsec statusall | grep 'peer.*INSTALLED' [YES] peer{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c7d78741_i c029cba7_o bob# ipsec statusall | grep 'peer.*INSTALLED' [YES] peer{1}: INSTALLED, TUNNEL, ESP in UDP SPIs: c029cba7_i c7d78741_o alice# ping -c 1 10.2.0.10 | grep '64 bytes from 10.2.0.10: icmp_seq=1' [YES] 64 bytes from 10.2.0.10: icmp_seq=1 ttl=64 time=0.555 ms bob# ping -c 1 10.1.0.10 | grep '64 bytes from 10.1.0.10: icmp_seq=1' [YES] 64 bytes from 10.1.0.10: icmp_seq=1 ttl=64 time=0.566 ms moon# killall tcpdump moon# cat /tmp/tcpdump.log | grep 'IP moon.strongswan.org.* > sun.strongswan.org.*: UDP' [YES] 01:14:31.698154 IP moon.strongswan.org.1105 > sun.strongswan.org.1200: UDP, length 88 01:14:31.746329 IP moon.strongswan.org.1105 > sun.strongswan.org.1200: UDP, length 92 01:14:32.801119 IP moon.strongswan.org.1105 > sun.strongswan.org.1200: UDP, length 676 01:14:33.016189 IP moon.strongswan.org.1105 > sun.strongswan.org.1200: UDP, length 1728 01:14:35.152053 IP moon.strongswan.org.1105 > sun.strongswan.org.1200: UDP, length 132 01:14:35.299679 IP moon.strongswan.org.1105 > sun.strongswan.org.1200: UDP, length 132 moon# cat /tmp/tcpdump.log | grep 'IP sun.strongswan.org.* > moon.strongswan.org.*: UDP' [YES] 01:14:31.649598 IP sun.strongswan.org.1200 > moon.strongswan.org.1105: UDP, length 88 01:14:31.672640 IP sun.strongswan.org.1200 > moon.strongswan.org.1105: UDP, length 88 01:14:31.704561 IP sun.strongswan.org.1200 > moon.strongswan.org.1105: UDP, length 92 01:14:31.735724 IP sun.strongswan.org.1200 > moon.strongswan.org.1105: UDP, length 88 01:14:32.911207 IP sun.strongswan.org.1200 > moon.strongswan.org.1105: UDP, length 469 01:14:33.366900 IP sun.strongswan.org.1200 > moon.strongswan.org.1105: UDP, length 1536 01:14:35.152363 IP sun.strongswan.org.1200 > moon.strongswan.org.1105: UDP, length 132 01:14:35.299479 IP sun.strongswan.org.1200 > moon.strongswan.org.1105: UDP, length 132 POST-TEST bob# ipsec stop Stopping strongSwan IPsec... alice# ipsec stop Stopping strongSwan IPsec... carol# ipsec stop Stopping strongSwan IPsec... alice# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] moon# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] carol# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] sun# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] bob# /etc/init.d/iptables stop 2> /dev/null * Stopping firewall ... [ ok ] moon# conntrack -F sun# conntrack -F