<div dir='auto'><div dir="auto">Hi Sujoy,</div><div dir="auto"><br></div><div dir="auto">Do you route all traffic through the ipsec tunnel at the moment?</div><div dir="auto"><br></div><div dir="auto">Or is your goal to access the CentOS sever through ipsec?</div><div dir="auto"><br></div><div dir="auto">Cheers,</div><div dir="auto"><br></div><div dir="auto">Christopher</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mar 5, 2018 07:05, Sujoy <sujoy.b@mindlogicx.com> wrote:<br type="attribution"><blockquote class="quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>
Hi Jafar,<br />
<br />
I have successfully establish connection with tunneling between
OpenWRT client and CentOS as StrongSwan server. Now I am facing one
issue. How to enable ssh and http through IPSec tunnel in
StrongSwan.<br />
<br />
<br />
<div><br />
Thanks <br />
Sujoy<br />
<br />
</div>
<div>On Friday 23 February 2018 09:05 PM,
Jafar Al-Gharaibeh wrote:<br />
</div>
<blockquote>
Sujoy,<br />
<br />
You have to send me the logs from both ends. It is hard to know
what is the problem with no logs.<br />
<br />
--Jafar<br />
<br />
<div>On 2/21/2018 8:58 AM, Sujoy wrote:<br />
</div>
<blockquote>
<p>Thanks Jafar, for giving this information. Please let me know
if anything else is required. The client OS is Openwrt, so no
logs are available. <br />
</p>
<p><br />
</p>
<p><b>Server Config</b></p>
<p>config setup<br />
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3,
cfg 3, knl 3"<br />
strictcrlpolicy=no<br />
uniqueids=no<br />
conn %default<br />
conn tunnel #<br />
left=%any<br />
right=%any<br />
ike=aes256-sha1-modp2048<br />
esp=aes256-sha1<br />
keyingtries=1<br />
keylife=20<br />
dpddelay=30s <br />
dpdtimeout=150s<br />
dpdaction=restart<br />
authby=psk<br />
auto=start<br />
keyexchange=ikev2<br />
type=tunnel<br />
</p>
<p># /etc/ipsec.secrets - strongSwan IPsec secrets file<br />
: PSK "XXXXXXX"<br />
</p>
<br />
<p><br />
</p>
<p> [host@VPNTEST ~]# firewall-cmd --list-all<br />
FirewallD is not running<br />
[host@VPNTEST ~]# sestatus<br />
SELinux status: disabled<br />
[host@VPNTEST ~]# iptables -L<br />
Chain INPUT (policy ACCEPT)<br />
target prot opt source destination <br />
<br />
Chain FORWARD (policy ACCEPT)<br />
target prot opt source destination <br />
<br />
Chain OUTPUT (policy ACCEPT)<br />
target prot opt source destination <br />
</p>
<p><br />
</p>
<p><br />
</p>
<p><b>Client config and status</b></p>
<div> config setup<br />
<br />
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3,
cfg 3, knl 3"<br />
strictcrlpolicy=no<br />
uniqueids=no<br />
conn %default<br />
conn tunnel #<br />
left=%any<br />
#right=192.168.10.40<br />
right=182.156.253.59<br />
ike=aes256-sha1-modp2048<br />
esp=aes256-sha1<br />
keyingtries=1<br />
keylife=20<br />
dpddelay=30s<br />
dpdtimeout=150s<br />
dpdaction=restart<br />
authby=psk<br />
auto=start<br />
keyexchange=ikev2<br />
type=tunnel<br />
<br />
# /etc/ipsec.secrets - strongSwan IPsec secrets file<br />
: PSK "XXXXXXX"<br />
<br />
<br />
root@Device_BD2009:~# ipsec statusall<br />
no files found matching '/etc/strongswan.d/*.conf'<br />
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49,
mips):<br />
uptime: 22 minutes, since Feb 21 14:31:43 2018<br />
malloc: sbrk 196608, mmap 0, used 157560, free 39048<br />
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
0/0/0/0, scheduled: 5<br />
loaded plugins: charon aes des rc2 sha1 sha2 md5 random
nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac
hmac curl attr kernel-netlink resolve socket-default stroke
updown eap-identity eap-md5 xauth-generic<br />
Listening IP addresses:<br />
192.168.20.100<br />
192.168.10.1<br />
fd70:5f2:3744::1<br />
Connections:<br />
tunnel: %any...X.X.X.X IKEv2, dpddelay=30s<br />
tunnel: local: uses pre-shared key authentication<br />
tunnel: remote: [X.X.X.X] uses pre-shared key
authentication<br />
tunnel: child: dynamic === dynamic TUNNEL,
dpdaction=restart<br />
Security Associations (1 up, 0 connecting):<br />
tunnel[1]: ESTABLISHED 22 minutes ago,
192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]<br />
tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i*
a8c47adc292f6d3f_r, pre-shared key reauthentication in 2 hours<br />
tunnel[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br />
<br />
<br />
<br />
</div>
<div>On Tuesday 20 February 2018 09:20
PM, Jafar Al-Gharaibeh wrote:<br />
</div>
<blockquote>
Sujoy,<br />
<br />
It is really hard to help you if don't give us full
information only sending us one picture at a time. Please use
test files, they are easier to navigate than screen shots.
Your last question below is a repeat to a question that I
answered before. If you want proper diagnose of the problem
please send the configuration files,logs, routing table at
both ends. see 8 at:<br />
<br />
<a href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests">https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests</a><br />
<br />
Make sure to increase the debug level in your ipsec.conf files
at both ends, something like: <br />
<br />
config setup<br />
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3,
cfg 3, knl 3"<br />
<br />
<br />
Regards,<br />
Jafar<br />
<br />
<br />
<div>On 2/20/2018 8:00 AM, Sujoy
wrote:<br />
</div>
<blockquote>
Hi Jafar,<br />
<br />
I am able to establish tunnel when I try to connect from LAN
IP. But with same configuration(Firewall setting) and same
OS version it failed to establish tunnel with <b>nated
public IP</b>. <br />
<br />
What means parsed "failed to establish CHILD_SA, keeping
IKE_SA". Please let me know if you have any idea regarding
this issue. <br />
</blockquote>
<br />
</blockquote>
<br />
</blockquote>
<br />
</blockquote>
<br />
</div>
</blockquote></div><br></div>