<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi Christopher,<br>
    <br>
    <br>
     Thanks for the response. I want to access the CentOS IPSec server
    which is the having tunneling enable from other system through SSH.
    <br>
    In the mean time other OpenWRT client should also be able cur/wget
    through the tunnel. Both SSH and http fails while tunnel is
    established. <br>
    <br>
    <br>
    Tried with the following but doesn't works. <br>
    <a class="moz-txt-link-freetext" href="https://wiki.strongswan.org/issues/2351">https://wiki.strongswan.org/issues/2351</a><br>
<a class="moz-txt-link-freetext" href="https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan">https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan</a><br>
    <br>
    <br>
    Thanks <br>
    Sujoy<br>
    <div class="moz-signature"><br>
      <br>
    </div>
    <div class="moz-cite-prefix">On Monday 05 March 2018 11:46 AM,
      Christopher Bachner wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:ee031644-aa02-4704-b5f4-100a77daa781@email.android.com">
      <div dir="auto">
        <div dir="auto">Hi Sujoy,</div>
        <div dir="auto"><br>
        </div>
        <div dir="auto">Do you route all traffic through the ipsec
          tunnel at the moment?</div>
        <div dir="auto"><br>
        </div>
        <div dir="auto">Or is your goal to access the CentOS sever
          through ipsec?</div>
        <div dir="auto"><br>
        </div>
        <div dir="auto">Cheers,</div>
        <div dir="auto"><br>
        </div>
        <div dir="auto">Christopher</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Mar 5, 2018 07:05, Sujoy
          <a class="moz-txt-link-rfc2396E" href="mailto:sujoy.b@mindlogicx.com"><sujoy.b@mindlogicx.com></a> wrote:<br type="attribution">
          <blockquote class="quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div> Hi Jafar,<br>
              <br>
               I have successfully establish connection with tunneling
              between OpenWRT client and CentOS as StrongSwan server.
              Now I am facing one issue. How to enable ssh and http
              through IPSec tunnel in StrongSwan.<br>
              <br>
              <br>
              <div><br>
                Thanks <br>
                Sujoy<br>
                <br>
              </div>
              <div>On Friday 23 February 2018 09:05 PM, Jafar
                Al-Gharaibeh wrote:<br>
              </div>
              <blockquote> Sujoy,<br>
                <br>
                You have to send me the logs from both ends. It is hard
                to know what is the problem with no logs.<br>
                <br>
                --Jafar<br>
                <br>
                <div>On 2/21/2018 8:58 AM, Sujoy wrote:<br>
                </div>
                <blockquote>
                  <p>Thanks Jafar, for giving this information. Please
                    let me know if anything else is required. The client
                    OS is Openwrt, so no logs are available. <br>
                  </p>
                  <p><br>
                  </p>
                  <p><b>Server Config</b></p>
                  <p>config setup<br>
                            charondebug="ike 3, net 3, mgr 3, esp 3, chd
                    3, dmn 3, cfg 3, knl 3"<br>
                            strictcrlpolicy=no<br>
                            uniqueids=no<br>
                    conn %default<br>
                    conn tunnel #<br>
                           left=%any<br>
                           right=%any<br>
                           ike=aes256-sha1-modp2048<br>
                           esp=aes256-sha1<br>
                           keyingtries=1<br>
                           keylife=20<br>
                           dpddelay=30s <br>
                           dpdtimeout=150s<br>
                           dpdaction=restart<br>
                           authby=psk<br>
                           auto=start<br>
                           keyexchange=ikev2<br>
                           type=tunnel<br>
                  </p>
                  <p># /etc/ipsec.secrets - strongSwan IPsec secrets
                    file<br>
                    : PSK "XXXXXXX"<br>
                  </p>
                  <br>
                  <p><br>
                  </p>
                  <p>   [host@VPNTEST ~]# firewall-cmd --list-all<br>
                    FirewallD is not running<br>
                    [host@VPNTEST ~]# sestatus<br>
                    SELinux status:                 disabled<br>
                    [host@VPNTEST ~]# iptables -L<br>
                    Chain INPUT (policy ACCEPT)<br>
                    target     prot opt source              
                    destination         <br>
                    <br>
                    Chain FORWARD (policy ACCEPT)<br>
                    target     prot opt source              
                    destination         <br>
                    <br>
                    Chain OUTPUT (policy ACCEPT)<br>
                    target     prot opt source              
                    destination    <br>
                  </p>
                  <p><br>
                  </p>
                  <p><br>
                  </p>
                  <p><b>Client config and status</b></p>
                  <div>        config setup<br>
                    <br>
                            charondebug="ike 3, net 3, mgr 3, esp 3, chd
                    3, dmn 3, cfg 3, knl 3"<br>
                            strictcrlpolicy=no<br>
                            uniqueids=no<br>
                    conn %default<br>
                    conn tunnel #<br>
                           left=%any<br>
                           #right=192.168.10.40<br>
                           right=182.156.253.59<br>
                           ike=aes256-sha1-modp2048<br>
                           esp=aes256-sha1<br>
                           keyingtries=1<br>
                           keylife=20<br>
                           dpddelay=30s<br>
                           dpdtimeout=150s<br>
                           dpdaction=restart<br>
                           authby=psk<br>
                           auto=start<br>
                           keyexchange=ikev2<br>
                           type=tunnel<br>
                    <br>
                    # /etc/ipsec.secrets - strongSwan IPsec secrets file<br>
                    : PSK "XXXXXXX"<br>
                       <br>
                    <br>
                    root@Device_BD2009:~# ipsec statusall<br>
                    no files found matching '/etc/strongswan.d/*.conf'<br>
                    Status of IKE charon daemon (strongSwan 5.3.3, Linux
                    3.10.49, mips):<br>
                      uptime: 22 minutes, since Feb 21 14:31:43 2018<br>
                      malloc: sbrk 196608, mmap 0, used 157560, free
                    39048<br>
                      worker threads: 11 of 16 idle, 5/0/0/0 working,
                    job queue: 0/0/0/0, scheduled: 5<br>
                      loaded plugins: charon aes des rc2 sha1 sha2 md5
                    random nonce x509 revocation constraints pubkey
                    pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
                    openssl fips-prf gmp xcbc cmac hmac curl attr
                    kernel-netlink resolve socket-default stroke updown
                    eap-identity eap-md5 xauth-generic<br>
                    Listening IP addresses:<br>
                      192.168.20.100<br>
                      192.168.10.1<br>
                      fd70:5f2:3744::1<br>
                    Connections:<br>
                          tunnel:  %any...X.X.X.X  IKEv2, dpddelay=30s<br>
                          tunnel:   local:  uses pre-shared key
                    authentication<br>
                          tunnel:   remote: [X.X.X.X] uses pre-shared
                    key authentication<br>
                          tunnel:   child:  dynamic === dynamic TUNNEL,
                    dpdaction=restart<br>
                    Security Associations (1 up, 0 connecting):<br>
                          tunnel[1]: ESTABLISHED 22 minutes ago,
                    192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]<br>
                          tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i*
                    a8c47adc292f6d3f_r, pre-shared key reauthentication
                    in 2 hours<br>
                          tunnel[1]: IKE proposal:
                    AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
                    <br>
                    <br>
                    <br>
                  </div>
                  <div>On Tuesday 20 February 2018 09:20 PM, Jafar
                    Al-Gharaibeh wrote:<br>
                  </div>
                  <blockquote> Sujoy,<br>
                    <br>
                       It is really hard to help you if don't give us
                    full information only sending us one picture at a
                    time. Please use test files, they are easier to
                    navigate than screen shots. Your last question below
                    is a repeat to a question that I answered before. 
                    If you want proper diagnose of the problem please
                    send the configuration files,logs, routing table at
                    both ends. see 8 at:<br>
                    <br>
                    <a
                      href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests"
                      moz-do-not-send="true">https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests</a><br>
                    <br>
                    Make sure to increase the debug level in your
                    ipsec.conf files at both ends, something like: <br>
                    <br>
                    config setup<br>
                           charondebug="ike 3, net 3, mgr 3, esp 3, chd
                    3, dmn 3, cfg 3, knl 3"<br>
                    <br>
                    <br>
                    Regards,<br>
                    Jafar<br>
                    <br>
                    <br>
                    <div>On 2/20/2018 8:00 AM, Sujoy wrote:<br>
                    </div>
                    <blockquote> Hi Jafar,<br>
                      <br>
                      I am able to establish tunnel when I try to
                      connect from LAN IP. But with same
                      configuration(Firewall setting) and same OS
                      version it failed to establish tunnel with <b>nated
                        public IP</b>. <br>
                      <br>
                      What means parsed "failed to establish CHILD_SA,
                      keeping IKE_SA". Please let me know if you have
                      any idea regarding this issue. <br>
                    </blockquote>
                    <br>
                  </blockquote>
                  <br>
                </blockquote>
                <br>
              </blockquote>
              <br>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>