/testing/guestbin/swan-prep --x509
Preparing X.509 files
road #
 ipsec certutil -D -n east
road #
 cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf
road #
 cp policies/* /etc/ipsec.d/policies/
road #
 echo "192.1.2.0/24"  >> /etc/ipsec.d/policies/private-or-clear
road #
 echo "192.1.3.0/24"  >> /etc/ipsec.d/policies/private
road #
 echo "192.1.4.66/32"  >> /etc/ipsec.d/policies/private-or-clear
road #
 # scan every 10s
road #
 ipsec pluto --config /etc/ipsec.conf --expire-shunt-interval 10
road #
 ../../guestbin/wait-until-pluto-started
road #
 # give OE policies time to load
road #
 ../../guestbin/wait-for.sh --match 'loaded 12' -- ipsec auto --status
Total IPsec connections: loaded 12, routed 7, active 0
road #
 echo "initdone"
initdone
road #
 #sleep 30; # enable to get time to attach ip xfrm monitor
road #
 # trigger a# private-or-clear and check for shunt and shunt expiry
road #
 ../../guestbin/ping-once.sh --forget -I 192.1.3.209 192.1.2.23
fired and forgotten
road #
 # wait on OE to start: should show nothing in shuntstatus (shunt is
road #
 # not bare, but with conn), should show up in xfrm policy and show
road #
 # partial STATE
road #
 ../../guestbin/wait-for.sh --match '#1:.*sent IKE_SA_INIT request' -- ipsec status
#1: "private-or-clear#192.1.2.0/24"[1] ...192.1.2.23:500 IKE_SA_INIT_I (sent IKE_SA_INIT request); RETRANSMIT in XXs; idle;
road #
 ipsec whack --shuntstatus
Bare Shunt list:
 
road #
 ipsec _kernel policy 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority PRIORITY ptype main
road #
 # wait on OE to fail: should show pass in shuntstatus and xfrm policy
road #
 # and without partial STATE
road #
 ../../guestbin/wait-for.sh --match oe-failing -- ipsec shuntstatus
192.1.3.209/32 -0-> 192.1.2.23/32 => %pass    oe-failing
road #
 ipsec _kernel policy 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32
	dir out priority 0 ptype main
road #
 ipsec showstates || true
road #
 # wait on OE shunt to expire: should show no more shunts for
road #
 # 192.1.2.23, no xfrm policy and no STATE's
road #
 ../../guestbin/wait-for.sh --timeout 60 --no-match oe-failing -- ipsec shuntstatus
road #
 ipsec _kernel policy 192.1.2.23
road #
 ipsec showstates || true
road #
 # repeat test with a hold shunt - but it really shouldn't matter
road #
 # trigger a private and check for shunt and shunt expiry
road #
 ../../guestbin/ping-once.sh --forget -I 192.1.3.209 192.1.3.46
fired and forgotten
road #
 # wait on OE to start: should show nothing in shuntstatus (shunt is
road #
 # not bare, but with conn), should show nothing in xfrm policy because
road #
 # SPI_HOLD (drop) is a no-op for XFRM as the larval state causes it
road #
 # already and should show show partial STATE
road #
 ../../guestbin/wait-for.sh --match '#2:.*sent IKE_SA_INIT request' -- ipsec status
#2: "private#192.1.3.0/24"[1] ...192.1.3.46:500 IKE_SA_INIT_I (sent IKE_SA_INIT request); RETRANSMIT in XXs; idle;
road #
 ipsec whack --shuntstatus
Bare Shunt list:
 
road #
 ipsec _kernel policy 192.1.3.46
src 192.1.3.209/32 dst 192.1.3.46/32
	dir out action block priority PRIORITY ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 # wait for OE to fail: should show pass in shuntstatus and xfrm policy
road #
 # and without partial STATE
road #
 ../../guestbin/wait-for.sh --match oe-failing -- ipsec shuntstatus
192.1.3.209/32 -0-> 192.1.3.46/32 => %drop    oe-failing
road #
 ipsec _kernel policy 192.1.3.46
src 192.1.3.209/32 dst 192.1.3.46/32
	dir out action block priority 0 ptype main
	tmpl src 0.0.0.0 dst 0.0.0.0
		proto esp reqid 0 mode transport
road #
 ipsec showstates || true
road #
 # wait for failing shunt to expire: should show no more shunts for
road #
 # 192.1.3.46, no xfrm policy and no STATE's
road #
 ../../guestbin/wait-for.sh --timeout 60 --no-match oe-failing -- ipsec shuntstatus
road #
 ipsec _kernel policy 192.1.3.46
road #
 ipsec showstates || true
road #
