The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes des sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes
ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors
fall back to ECP_224 and ECP_256, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[1]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.100 local-port=500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=1 state=ESTABLISHED local-host=192.168.0.200 local-port=500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 1 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=1 state=ESTABLISHED local-host=192.168.0.1 local-port=500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes192-sha384-ecp192,3des-sha256-ecp224!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+ }
+ }
+ version = 1
+ proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-ecp192,aes128gcm16-ecp256
+ }
+ }
+ version = 1
+ proposals = 3des-sha1-ecp192,aes128-sha256-ecp256
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev1
- ike=3des-sha256-ecp224,aes128-sha256-ecp256!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha256-ecp224,aes128gcm16-ecp256
+ }
+ }
+ version = 1
+ proposals = 3des-sha256-ecp224,aes128-sha256-ecp256
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
The roadwarrior <b>carol</b> and the gateway <b>moon</b> use the <b>openssl</b>
-plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
+plugin based on the <b>OpenSSL</b> library for all cryptographical and X.509
certificate functions whereas roadwarrior <b>dave</b> uses the default <b>strongSwan</b>
-cryptographical plugins <b>aes des sha1 sha2 md5 gmp x509</b> plus the <b>openssl</b>
+cryptographical plugins <b>aes des sha1 sha2 hmac gmp x509</b> plus the <b>openssl</b>
plugin for the Elliptic Curve Diffie-Hellman groups only.
<p>
-The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
+The roadwarriors <b>carol</b> and <b>dave</b> set up a connection each
to gateway <b>moon</b>. The authentication is based on <b>X.509 certificates</b>.
<b>carol</b> proposes the DH groups ECP_192 and ECP_224 whereas <b>dave</b> proposes
ECP_192 and ECP_256. Since <b>moon</b> does not support ECP_192 the roadwarriors
fall back to ECP_224 and ECP_256, respectively.
<p>
-Upon the successful establishment of the IPsec tunnels, <b>leftfirewall=yes</b>
-automatically inserts iptables-based firewall rules that let pass the tunneled traffic.
+Upon the successful establishment of the IPsec tunnels, the updown script automatically
+inserts iptables-based firewall rules that let pass the tunneled traffic.
In order to test both tunnel and firewall, both <b>carol</b> and <b>dave</b> ping
the client <b>alice</b> behind the gateway <b>moon</b>.
-carol::ipsec status 2> /dev/null::home.*ESTABLISHED.*carol@strongswan.org.*moon.strongswan.org::YES
-dave:: ipsec status 2> /dev/null::home.*ESTABLISHED.*dave@strongswan.org.*moon.strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[2]: ESTABLISHED.*moon.strongswan.org.*carol@strongswan.org::YES
-moon:: ipsec status 2> /dev/null::rw\[4]: ESTABLISHED.*moon.strongswan.org.*dave@strongswan.org::YES
-carol::ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-dave:: ipsec status 2> /dev/null::home.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]1}.*INSTALLED, TUNNEL::YES
-moon:: ipsec status 2> /dev/null::rw[{]2}.*INSTALLED, TUNNEL::YES
carol::cat /var/log/daemon.log::ECP_192.*ECP_224::YES
dave:: cat /var/log/daemon.log::ECP_192.*ECP_256::YES
-carol::ipsec statusall 2> /dev/null::home.*3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_224::YES
-dave:: ipsec statusall 2> /dev/null::home.*AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256::YES
carol::ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
dave:: ping -c 1 PH_IP_ALICE::64 bytes from PH_IP_ALICE: icmp_.eq=1::YES
+carol::swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.100 local-port=4500 local-id=carol@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[192.168.0.100/32] remote-ts=\[10.1.0.0/16]::YES
+dave:: swanctl --list-sas --raw 2> /dev/null::home.*version=2 state=ESTABLISHED local-host=192.168.0.200 local-port=4500 local-id=dave@strongswan.org remote-host=192.168.0.1 remote-port=4500 remote-id=moon.strongswan.org initiator=yes.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*home.*state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[192.168.0.200/32] remote-ts=\[10.1.0.0/16]::YES
+moon:: swanctl --list-sas --ike-id 2 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.100 remote-port=4500 remote-id=carol@strongswan.org.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_224.*child-sas.*net.*reqid=1 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=3DES_CBC integ-alg=HMAC_SHA2_256_128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.100/32]::YES
+moon:: swanctl --list-sas --ike-id 4 --raw 2> /dev/null::rw.*version=2 state=ESTABLISHED local-host=192.168.0.1 local-port=4500 local-id=moon.strongswan.org remote-host=192.168.0.200 remote-port=4500 remote-id=dave@strongswan.org.*encr-alg=AES_CBC encr-keysize=128 integ-alg=HMAC_SHA2_256_128 prf-alg=PRF_HMAC_SHA2_256 dh-group=ECP_256.*child-sas.*net.*reqid=2 state=INSTALLED mode=TUNNEL.*ESP.*encr-alg=AES_GCM_16 encr-keysize=128.*local-ts=\[10.1.0.0/16] remote-ts=\[192.168.0.200/32]::YES
moon::tcpdump::IP carol.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > carol.strongswan.org: ESP::YES
moon::tcpdump::IP dave.strongswan.org > moon.strongswan.org: ESP::YES
moon::tcpdump::IP moon.strongswan.org > dave.strongswan.org: ESP::YES
-
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp192,3des-sha256-ecp224!
-
-conn home
- left=PH_IP_CAROL
- leftcert=carolCert.pem
- leftid=carol@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.100
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = carolCert.pem
+ id = carol@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+ }
+ }
+ version = 2
+ proposals = 3des-sha1-ecp192,3des-sha256-ecp224
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=aes192-sha384-ecp192,aes128-sha256-ecp256!
-
-conn home
- left=PH_IP_DAVE
- leftcert=daveCert.pem
- leftid=dave@strongswan.org
- leftfirewall=yes
- right=PH_IP_MOON
- rightid=@moon.strongswan.org
- rightsubnet=10.1.0.0/16
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = aes des sha1 sha2 md5 pem pkcs1 gmp pem pkcs1 x509 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce aes des sha1 sha2 gmp pem pkcs1 hmac x509 openssl curl revocation vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ home {
+ local_addrs = 192.168.0.200
+ remote_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = daveCert.pem
+ id = dave@strongswan.org
+ }
+ remote {
+ auth = pubkey
+ id = moon.strongswan.org
+ }
+ children {
+ home {
+ remote_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha1-ecp192,aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = 3des-sha1-ecp192,aes128-sha256-ecp256
+ }
+}
+++ /dev/null
-# /etc/ipsec.conf - strongSwan IPsec configuration file
-
-config setup
-
-conn %default
- ikelifetime=60m
- keylife=20m
- rekeymargin=3m
- keyingtries=1
- keyexchange=ikev2
- ike=3des-sha256-ecp224,aes128-sha256-ecp256!
-
-conn rw
- left=PH_IP_MOON
- leftcert=moonCert.pem
- leftid=@moon.strongswan.org
- leftsubnet=10.1.0.0/16
- leftfirewall=yes
- right=%any
- auto=add
# /etc/strongswan.conf - strongSwan configuration file
charon {
- load = pem pkcs1 openssl curl revocation random nonce hmac stroke kernel-netlink socket-default updown
+ load = random nonce pem pkcs1 openssl curl revocation vici kernel-netlink socket-default updown
}
--- /dev/null
+connections {
+
+ rw {
+ local_addrs = 192.168.0.1
+
+ local {
+ auth = pubkey
+ certs = moonCert.pem
+ id = moon.strongswan.org
+ }
+ remote {
+ auth = pubkey
+ }
+ children {
+ net {
+ local_ts = 10.1.0.0/16
+
+ updown = /usr/local/libexec/ipsec/_updown iptables
+ esp_proposals = 3des-sha256-ecp224,aes128gcm16-ecp256
+ }
+ }
+ version = 2
+ proposals = 3des-sha256-ecp224,aes128-sha256-ecp256
+ }
+}
-moon::ipsec stop
-carol::ipsec stop
-dave::ipsec stop
+carol::systemctl stop strongswan-swanctl
+dave::systemctl stop strongswan-swanctl
+moon::systemctl stop strongswan-swanctl
moon::iptables-restore < /etc/iptables.flush
carol::iptables-restore < /etc/iptables.flush
dave::iptables-restore < /etc/iptables.flush
moon::iptables-restore < /etc/iptables.rules
carol::iptables-restore < /etc/iptables.rules
dave::iptables-restore < /etc/iptables.rules
-moon::ipsec start
-carol::ipsec start
-dave::ipsec start
+moon::systemctl start strongswan-swanctl
+carol::systemctl start strongswan-swanctl
+dave::systemctl start strongswan-swanctl
moon::expect-connection rw
carol::expect-connection home
-carol::ipsec up home
+carol::swanctl --initiate --child home 2> /dev/null
dave::expect-connection home
-dave::ipsec up home
+dave::swanctl --initiate --child home 2> /dev/null
# Used for IPsec logging purposes
#
IPSECHOSTS="moon carol dave"
+
+# charon controlled by swanctl
+#
+SWANCTL=1