/testing/guestbin/swan-prep --x509
Preparing X.509 files
road #
 certutil -D -n east -d sql:/etc/ipsec.d
road #
 cp road-ikev2-oe.conf /etc/ipsec.d/ikev2-oe.conf
road #
 cp policies/* /etc/ipsec.d/policies/
road #
 echo "192.1.2.23/32"  >> /etc/ipsec.d/policies/private-or-clear
road #
 # scan every 10s
road #
 ipsec pluto --config /etc/ipsec.conf --expire-shunt-interval 10
road #
 /testing/pluto/bin/wait-until-pluto-started
road #
 # give OE policies time to load
road #
 sleep 5
road #
 echo "initdone"
initdone
road #
 #sleep 30; # enable to get time to attach ip xfrm monitor
road #
 # We should already have a %trap policy because we have a 192.1.2.23/32 group-instance
road #
 ip -o xfrm pol | grep 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32 \	dir out priority 3129278 ptype main \	tmpl src 0.0.0.0 dst 0.0.0.0\		proto esp reqid 0 mode transport\
road #
 # trigger a private-or-clear and check for shunt and shunt expiry
road #
 ping -n -c 1 -I 192.1.3.209 192.1.2.23
PING 192.1.2.23 (192.1.2.23) from 192.1.3.209 : 56(84) bytes of data.
--- 192.1.2.23 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time XXXX
road #
 # wait on OE retransmits and rekeying
road #
 sleep 3
road #
 # should show nothing in shuntstatus (shunt is not bare, but with conn), should show up in xfrm policy and show partial STATE
road #
 ipsec whack --shuntstatus
000 Bare Shunt list:
000  
road #
 ip -o xfrm pol | grep 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32 \	dir out priority 3129278 ptype main \
road #
 ipsec status | grep STATE_
000 #1: "private-or-clear#192.1.2.23/32"[1] ...192.1.2.23:500 STATE_PARENT_I1 (sent IKE_SA_INIT request); EVENT_RETRANSMIT in XXs; idle;
road #
 sleep 10
road #
 # should show %pass in shuntstatus and xfrm policy and without partial STATE
road #
 ipsec whack --shuntstatus
000 Bare Shunt list:
000  
000 192.1.3.209/32:0 -0-> 192.1.2.23/32:0 => %pass 0    oe-failing
road #
 ip -o xfrm pol | grep 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32 \	dir out priority 3129278 ptype main \	tmpl src 0.0.0.0 dst 0.0.0.0\		proto esp reqid 0 mode transport\
road #
 ipsec status | grep STATE_
road #
 sleep 35
road #
 # should show no more shunts for 192.1.2.23, but SHOULD show our %trap xfrm policy and no STATE's
road #
 ipsec whack --shuntstatus
000 Bare Shunt list:
000  
road #
 ip -o xfrm pol | grep 192.1.2.23
src 192.1.3.209/32 dst 192.1.2.23/32 \	dir out priority 3129278 ptype main \	tmpl src 0.0.0.0 dst 0.0.0.0\		proto esp reqid 0 mode transport\
road #
 ipsec status | grep STATE_
road #
 
