<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:rtc="http://microsoft.com/officenet/conferencing" xmlns:D="DAV:" xmlns:Repl="http://schemas.microsoft.com/repl/" xmlns:mt="http://schemas.microsoft.com/sharepoint/soap/meetings/" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ppda="http://www.passport.com/NameSpace.xsd" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="�" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Thanks to all of you for helping out on this one. The issue was not with the Strongswan configuration. Rather the remote side had some config issues due to which this issue was happening. It is working fine now. Thanks again. </span><span style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>J</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Best Regards<o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:#1F497D'>Anupam Malhotra<o:p></o:p></span></b></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Christ Schlacta [mailto:lists@aarcane.org] <br><b>Sent:</b> Monday, December 26, 2011 2:09 PM<br><b>To:</b> Anupam Malhotra<br><b>Cc:</b> Thomas Egerer; users@lists.strongswan.org<br><b>Subject:</b> Re: [strongSwan] Telnet over a tunnel using Local IP (rather than Public IP)<o:p></o:p></span></p></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal style='margin-bottom:12.0pt'>If I've missed something, I apologize, but it seems the simple fix is to ssh into the intermediary server, and from there to telnet to the target server. Correct me if there's some reason this solution won't work.<br><br>ipsec tunnels shouldn't change the source or destination of a TELNET packet at all. The original source and destination are still the original source and destination. If you want to change that, you need a proxy server instead.<o:p></o:p></p><div><p class=MsoNormal>On Sun, Dec 25, 2011 at 11:31 PM, Anupam Malhotra <<a href="mailto:anupam.malhotra@u2opiamobile.com">anupam.malhotra@u2opiamobile.com</a>> wrote:<o:p></o:p></p><p class=MsoNormal>Hi Thomas<br><br>Thanks for the useful insight. In my ipsec.conf file, "left" is indeed set<br>to my localIP (xl.xl.xl.xl). However, I tried setting that to my public IP<br>(xp.xp.xp.xp) (keeping all other configurations same). In that case the<br>tunnel is not coming up. You are right that my peer is not strongswan. Here<br>is my Ipsec.conf file:<br><br>config setup<br> charonstart=yes<br> #nat_traversal = yes<br> nat_traversal = no<br> plutostart=yes<br> plutodebug=all<br> plutostderrlog =/var/log/pluto.log<br><br>conn %default<br> keyexchange=ikev1<br> type=tunnel<br> auth=esp<br> authby=psk<br> auto=start<br> ikelifetime=28800<br> left=xl.xl.xl.xl<br> leftnexthop=%defaultroute<br><br><br>conn umb<br> leftsourceip=xl.xl.xl.xl<br> leftsubnet=xp.xp.xp.xp/32<br> right=<Public IP of peer><br> rightsubnet=<xr.xr.xr.xr>/32<br> esp=3des-md5<br> ike=3des-md5-modp1024<br> pfs=no<br><br>Please suggest.<o:p></o:p></p><div><p class=MsoNormal><br>Best Regards<br>Anupam Malhotra<br><br><br>-----Original Message-----<o:p></o:p></p></div><div><p class=MsoNormal>From: Thomas Egerer [mailto:<a href="mailto:thomas.egerer@secunet.com">thomas.egerer@secunet.com</a>]<br>Sent: Friday, December 23, 2011 7:13 PM<br>To: Anupam Malhotra<o:p></o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'>Cc: 'gowrishankar'; <a href="mailto:users@lists.strongswan.org">users@lists.strongswan.org</a><br>Subject: Re: [strongSwan] Telnet over a tunnel using Local IP (rather than<br>Public IP)<o:p></o:p></p></div><div><div><p class=MsoNormal style='margin-bottom:12.0pt'>On 12/23/2011 11:17 AM, Anupam Malhotra wrote:<br>> Hi Thomas<br>><br>> The IKE_SA-negotiation is not failing. The tunnel is coming up. Only<br>> issue is that the local IP is being seen at the remote end (rather<br>> than the public IP).<br>Your output 'ip x s s' tells me, that your tunnel-endpoint on the local side<br>of the box running strongswan is your *local* ip-address.<br>> src <remote IP: xr.xr.xr.xr> dst <local IP:xl.xl.xl.xl> src <local IP:<br>> xl.xl.xl.xl> <remote IP: xr.xr.xr.xr><br><br>This is only the case if your config tells strongswan to do so. If your peer<br>only accepts ESP packets from xp.xp.xp.xp then your tunnel-endpoint (left in<br>ipsec.conf) is supposed to say so. If that tunnel cannot be created you<br>should consult the log file. Your peer should have the config modified<br>appropriately.<br>Let us look at your ipsec.conf, maybe we can figure it out then.<br>Your peer is no strongswan, I assume?<br><br>Cheers,<br>Thomas<br><br><br><br><br><o:p></o:p></p></div></div><div><div><p class=MsoNormal>_______________________________________________<br>Users mailing list<br><a href="mailto:Users@lists.strongswan.org">Users@lists.strongswan.org</a><br><a href="https://lists.strongswan.org/mailman/listinfo/users" target="_blank">https://lists.strongswan.org/mailman/listinfo/users</a><o:p></o:p></p></div></div></div><p class=MsoNormal><o:p> </o:p></p></div></body></html>