/testing/guestbin/swan-prep --x509
Preparing X.509 files
road #
 certutil -D -n east -d sql:/etc/ipsec.d
road #
 cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf
road #
 cp policies/* /etc/ipsec.d/policies/
road #
 echo "192.1.2.23/32"  >> /etc/ipsec.d/policies/private-or-clear
road #
 # scan every 10s
road #
 ipsec pluto --config /etc/ipsec.conf --expire-shunt-interval 10
road #
 ../../guestbin/wait-until-pluto-started
road #
 # give OE policies time to load
road #
 ../../guestbin/wait-for.sh --match 'loaded 11,' -- ipsec auto --status
000 Total IPsec connections: loaded 11, active 0
road #
 echo "initdone"
initdone
road #
 #sleep 30; # enable to get time to attach ip xfrm monitor
road #
 # We should already have a %trap policy because we have a 192.1.2.23/32 group-instance
road #
 ip -o xfrm pol | grep 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32 \	dir out priority 3850433 ptype main \	tmpl src 0.0.0.0 dst 0.0.0.0\		proto esp reqid 0 mode transport\
road #
 # trigger a private-or-clear and check for shunt and shunt expiry
road #
 ../../guestbin/ping-once.sh --down -I 192.1.3.209 192.1.2.23
down
road #
 # wait on OE retransmits and rekeying
road #
 sleep 3
road #
 # should show nothing in shuntstatus (shunt is not bare, but with conn), should show up in xfrm policy and show partial STATE
road #
 ipsec whack --shuntstatus
000 Bare Shunt list:
000  
road #
 ip -o xfrm pol | grep 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32 \	dir out priority 3850240 ptype main \
road #
 ipsec showstates
000 #1: "private-or-clear#192.1.2.23/32"[1] ...192.1.2.23:500 STATE_V2_PARENT_I1 (sent IKE_SA_INIT request); RETRANSMIT in XXs; idle;
000 #1: pending CHILD SA for "private-or-clear#192.1.2.23/32"[1] ...192.1.2.23
road #
 sleep 10
road #
 # should show %pass in shuntstatus and xfrm policy and without partial STATE
road #
 ipsec whack --shuntstatus
000 Bare Shunt list:
000  
000 192.1.3.209/32 -0-> 192.1.2.23/32 => %pass 0    oe-failing
road #
 ip -o xfrm pol | grep 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32 \	dir out priority 3850433 ptype main \	tmpl src 0.0.0.0 dst 0.0.0.0\		proto esp reqid 0 mode transport\
road #
 ipsec showstates
road #
 sleep 35
road #
 # should show no more shunts for 192.1.2.23, but SHOULD show our %trap xfrm policy and no STATE's
road #
 ipsec whack --shuntstatus
000 Bare Shunt list:
000  
road #
 ip -o xfrm pol | grep 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32 \	dir out priority 3850433 ptype main \	tmpl src 0.0.0.0 dst 0.0.0.0\		proto esp reqid 0 mode transport\
road #
 ipsec showstates
road #
 
