Hi,
I am running the automated tests. The scenario ha/both-active fails. I
downloaded linux-3.3.2.tar.bz2, config-3.3, gentoo-fs-20111212.tar.bz2 and
strongswan-4.6.4.tar.bz2. The generated console.log is attached.
I am confused with the patches mentionned here :
http://wiki.strongswan.org/projects/strongswan/wiki/HighAvailability#KernelIPtables-patches.
Must I apply a patch to make the test pass ?
Regards,
Stéphanie
TCPDUMP
venus# tcpdump -i eth0 not port ssh and not port domain > /tmp/tcpdump.log 2>&1
&
carol# tcpdump -i eth0 not port ssh and not port domain > /tmp/tcpdump.log 2>&1
&
dave# tcpdump -i eth0 not port ssh and not port domain > /tmp/tcpdump.log 2>&1 &
PRE-TEST
moon# ip addr add 192.168.0.5/24 dev eth0
moon# ip addr add 10.1.0.5/16 dev eth1
alice# /etc/init.d/net.eth1 start
* Caching service dependencies ... [ ok ]
* Starting eth1
* Bringing up eth1
* 192.168.0.50
[ ok ]
* fec0::5/16
[ ok ]
alice# ip addr add 192.168.0.5/24 dev eth1
alice# ip addr add 10.1.0.5/16 dev eth0
venus# ip route del default via 10.1.0.1 dev eth0
venus# ip route add default via 10.1.0.5 dev eth0
moon# /etc/init.d/iptables start 2> /dev/null
* Caching service dependencies ... [ ok ]
* Starting firewall ... [ ok ]
alice# /etc/init.d/iptables start 2> /dev/null
* Starting firewall ... [ ok ]
carol# /etc/init.d/iptables start 2> /dev/null
* Caching service dependencies ... [ ok ]
* Starting firewall ... [ ok ]
dave# /etc/init.d/iptables start 2> /dev/null
* Caching service dependencies ... [ ok ]
* Starting firewall ... [ ok ]
moon# ipsec start
Starting strongSwan 4.6.4 IPsec [starter]...
alice# ipsec start
Starting strongSwan 4.6.4 IPsec [starter]...
carol# ipsec start
Starting strongSwan 4.6.4 IPsec [starter]...
dave# ipsec start
Starting strongSwan 4.6.4 IPsec [starter]...
carol# sleep 1
carol# ipsec up home
initiating IKE_SA home[1] to 192.168.0.5
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.100[500] to 192.168.0.5[500]
received packet: from 192.168.0.5[500] to 192.168.0.100[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(MULT_AUTH) ]
received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
authentication of '[email protected]' (myself) with RSA signature successful
sending end entity cert "C=CH, O=Linux strongSwan, OU=Research,
[email protected]"
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA
TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.0.100[4500] to 192.168.0.5[4500]
received packet: from 192.168.0.5[4500] to 192.168.0.100[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
received end entity cert "C=CH, O=Linux strongSwan, OU=Virtual VPN Gateway,
CN=mars.strongswan.org"
using certificate "C=CH, O=Linux strongSwan, OU=Virtual VPN Gateway,
CN=mars.strongswan.org"
using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
checking certificate status of "C=CH, O=Linux strongSwan, OU=Virtual VPN
Gateway, CN=mars.strongswan.org"
fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
crl is valid: until Jul 22 19:08:04 2012
certificate status is good
reached self-signed root ca with a path length of 0
authentication of 'mars.strongswan.org' with RSA signature successful
IKE_SA home[1] established between
192.168.0.100[[email protected]]...192.168.0.5[mars.strongswan.org]
scheduling reauthentication in 3363s
maximum IKE_SA lifetime 3543s
dave# ipsec up home
initiating IKE_SA home[1] to 192.168.0.5
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 192.168.0.200[500] to 192.168.0.5[500]
received packet: from 192.168.0.5[500] to 192.168.0.200[500]
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ
N(MULT_AUTH) ]
received cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
sending cert request for "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
authentication of '[email protected]' (myself) with RSA signature successful
sending end entity cert "C=CH, O=Linux strongSwan, OU=Accounting,
[email protected]"
establishing CHILD_SA home
generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA
TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from 192.168.0.200[4500] to 192.168.0.5[4500]
received packet: from 192.168.0.5[4500] to 192.168.0.200[4500]
parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP)
N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(ADD_6_ADDR) ]
received end entity cert "C=CH, O=Linux strongSwan, OU=Virtual VPN Gateway,
CN=mars.strongswan.org"
using certificate "C=CH, O=Linux strongSwan, OU=Virtual VPN Gateway,
CN=mars.strongswan.org"
using trusted ca certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
checking certificate status of "C=CH, O=Linux strongSwan, OU=Virtual VPN
Gateway, CN=mars.strongswan.org"
fetching crl from 'http://crl.strongswan.org/strongswan.crl' ...
using trusted certificate "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
crl correctly signed by "C=CH, O=Linux strongSwan, CN=strongSwan Root CA"
crl is valid: until Jul 22 19:08:04 2012
certificate status is good
reached self-signed root ca with a path length of 0
authentication of 'mars.strongswan.org' with RSA signature successful
IKE_SA home[1] established between
192.168.0.200[[email protected]]...192.168.0.5[mars.strongswan.org]
scheduling reauthentication in 3271s
maximum IKE_SA lifetime 3451s
TEST
alice# ipsec statusall | grep 'rw.*ESTABLISHED.*[email protected]' [YES]
rw[1]: ESTABLISHED 1 second ago,
192.168.0.5[mars.strongswan.org]...192.168.0.100[[email protected]]
alice# ipsec statusall | grep 'rw.*ESTABLISHED.*[email protected]' [YES]
rw[2]: ESTABLISHED 0 seconds ago,
192.168.0.5[mars.strongswan.org]...192.168.0.200[[email protected]]
moon# ipsec statusall | grep 'rw.*PASSIVE.*[email protected]' [YES]
rw[1]: PASSIVE,
192.168.0.5[mars.strongswan.org]...192.168.0.100[[email protected]]
moon# ipsec statusall | grep 'rw.*PASSIVE.*[email protected]' [YES]
rw[2]: PASSIVE,
192.168.0.5[mars.strongswan.org]...192.168.0.200[[email protected]]
carol# ipsec statusall | grep 'home.*ESTABLISHED' [YES]
home[1]: ESTABLISHED 2 seconds ago,
192.168.0.100[[email protected]]...192.168.0.5[mars.strongswan.org]
dave# ipsec statusall | grep 'home.*ESTABLISHED' [YES]
home[1]: ESTABLISHED 2 seconds ago,
192.168.0.200[[email protected]]...192.168.0.5[mars.strongswan.org]
alice# cat /var/log/daemon.log | grep 'HA segment 1 activated' [YES]
Jun 22 19:22:00 alice charon: 08[CFG] HA segment 1 activated, now active: 1
moon# cat /var/log/daemon.log | grep 'HA segment 2 activated' [YES]
Jun 22 19:22:01 moon charon: 14[CFG] HA segment 2 activated, now active: 2
alice# cat /var/log/daemon.log | grep 'handling HA CHILD_SA' [YES]
Jun 22 19:22:02 alice charon: 02[CFG] handling HA CHILD_SA rw{1} 10.1.0.0/16
=== 192.168.0.100/32 (segment in: 1*, out: 1*)
Jun 22 19:22:03 alice charon: 05[CFG] handling HA CHILD_SA rw{2} 10.1.0.0/16
=== 192.168.0.200/32 (segment in: 2, out: 2)
moon# cat /var/log/daemon.log | grep 'installed HA CHILD_SA' [YES]
Jun 22 19:22:02 moon charon: 14[CFG] installed HA CHILD_SA rw{1} 10.1.0.0/16
=== 192.168.0.100/32 (segment in: 1, out: 1)
Jun 22 19:22:03 moon charon: 14[CFG] installed HA CHILD_SA rw{2} 10.1.0.0/16
=== 192.168.0.200/32 (segment in: 2*, out: 2*)
carol# ping -c 1 10.1.0.20 | grep '64 bytes from 10.1.0.20: icmp_seq=1' [YES]
dave# ping -c 1 10.1.0.20 | grep '64 bytes from 10.1.0.20: icmp_seq=1' [YES]
carol# killall tcpdump
carol# cat /tmp/tcpdump.log | grep 'IP carol.strongswan.org >
mars.strongswan.org: ESP' [YES]
19:22:05.545210 IP carol.strongswan.org > mars.strongswan.org:
ESP(spi=0xca1671f2,seq=0x1), length 132
carol# cat /tmp/tcpdump.log | grep 'IP mars.strongswan.org >
carol.strongswan.org: ESP' [YES]
dave# killall tcpdump
dave# cat /tmp/tcpdump.log | grep 'IP dave.strongswan.org >
mars.strongswan.org: ESP' [YES]
19:22:15.628109 IP dave.strongswan.org > mars.strongswan.org:
ESP(spi=0xc3bb9362,seq=0x1), length 132
dave# cat /tmp/tcpdump.log | grep 'IP mars.strongswan.org >
dave.strongswan.org: ESP' [YES]
venus# killall tcpdump
venus# cat /tmp/tcpdump.log | grep 'IP carol.strongswan.org >
venus.strongswan.org: ICMP echo request' [YES]
19:22:05.503259 IP carol.strongswan.org > venus.strongswan.org: ICMP echo
request, id 48151, seq 1, length 64
venus# cat /tmp/tcpdump.log | grep 'IP venus.strongswan.org >
carol.strongswan.org: ICMP echo reply' [YES]
19:22:05.503501 IP venus.strongswan.org > carol.strongswan.org: ICMP echo
reply, id 48151, seq 1, length 64
venus# cat /tmp/tcpdump.log | grep 'IP dave.strongswan.org >
venus.strongswan.org: ICMP echo request' [YES]
19:22:15.589040 IP dave.strongswan.org > venus.strongswan.org: ICMP echo
request, id 17683, seq 1, length 64
venus# cat /tmp/tcpdump.log | grep 'IP venus.strongswan.org >
dave.strongswan.org: ICMP echo reply' [YES]
19:22:15.589090 IP venus.strongswan.org > dave.strongswan.org: ICMP echo reply,
id 17683, seq 1, length 64
POST-TEST
carol# ipsec stop
Stopping strongSwan IPsec...
dave# ipsec stop
Stopping strongSwan IPsec...
moon# ipsec stop
Stopping strongSwan IPsec...
alice# ipsec stop
Stopping strongSwan IPsec...
moon# /etc/init.d/iptables stop 2> /dev/null
* Stopping firewall ... [ ok ]
alice# /etc/init.d/iptables stop 2> /dev/null
* Stopping firewall ... [ ok ]
carol# /etc/init.d/iptables stop 2> /dev/null
* Stopping firewall ... [ ok ]
dave# /etc/init.d/iptables stop 2> /dev/null
* Stopping firewall ... [ ok ]
moon# ip addr del 192.168.0.5/24 dev eth0
moon# ip addr del 10.1.0.5/16 dev eth1
alice# ip addr del 192.168.0.5/24 dev eth1
alice# ip addr del 10.1.0.5/16 dev eth0
alice# /etc/init.d/net.eth1 stop
* Stopping eth1
* Bringing down eth1
* Shutting down eth1 ... [ ok ]
venus# ip route del default via 10.1.0.5 dev eth0
venus# ip route add default via 10.1.0.1 dev eth0
moon# conntrack -F
alice# conntrack -F
_______________________________________________
Users mailing list
[email protected]
https://lists.strongswan.org/mailman/listinfo/users
