<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi Jafar,<br>
    <br>
     I have successfully establish connection with tunneling between
    OpenWRT client and CentOS as StrongSwan server. Now I am facing one
    issue. How to enable ssh and http through IPSec tunnel in
    StrongSwan.<br>
    <br>
    <br>
    <div class="moz-signature"><br>
      Thanks <br>
      Sujoy<br>
      <br>
    </div>
    <div class="moz-cite-prefix">On Friday 23 February 2018 09:05 PM,
      Jafar Al-Gharaibeh wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:8eac804b-0eee-4779-9461-77a4e4d0d55d@atcorp.com">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      Sujoy,<br>
      <br>
      You have to send me the logs from both ends. It is hard to know
      what is the problem with no logs.<br>
      <br>
      --Jafar<br>
      <br>
      <div class="moz-cite-prefix">On 2/21/2018 8:58 AM, Sujoy wrote:<br>
      </div>
      <blockquote type="cite"
        cite="mid:a493cad8-80e6-3e1b-a43e-3f8d0a452315@mindlogicx.com">
        <meta http-equiv="Content-Type" content="text/html;
          charset=utf-8">
        <p>Thanks Jafar, for giving this information. Please let me know
          if anything else is required. The client OS is Openwrt, so no
          logs are available. <br>
        </p>
        <p><br>
        </p>
        <p><b>Server Config</b></p>
        <p>config setup<br>
                  charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3,
          cfg 3, knl 3"<br>
                  strictcrlpolicy=no<br>
                  uniqueids=no<br>
          conn %default<br>
          conn tunnel #<br>
                 left=%any<br>
                 right=%any<br>
                 ike=aes256-sha1-modp2048<br>
                 esp=aes256-sha1<br>
                 keyingtries=1<br>
                 keylife=20<br>
                 dpddelay=30s <br>
                 dpdtimeout=150s<br>
                 dpdaction=restart<br>
                 authby=psk<br>
                 auto=start<br>
                 keyexchange=ikev2<br>
                 type=tunnel<br>
        </p>
        <p># /etc/ipsec.secrets - strongSwan IPsec secrets file<br>
          : PSK "XXXXXXX"<br>
        </p>
        <br>
        <p><br>
        </p>
        <p>   [host@VPNTEST ~]# firewall-cmd --list-all<br>
          FirewallD is not running<br>
          [host@VPNTEST ~]# sestatus<br>
          SELinux status:                 disabled<br>
          [host@VPNTEST ~]# iptables -L<br>
          Chain INPUT (policy ACCEPT)<br>
          target     prot opt source               destination         <br>
          <br>
          Chain FORWARD (policy ACCEPT)<br>
          target     prot opt source               destination         <br>
          <br>
          Chain OUTPUT (policy ACCEPT)<br>
          target     prot opt source               destination    <br>
        </p>
        <p><br>
        </p>
        <p><br>
        </p>
        <p><b>Client config and status</b></p>
        <div class="moz-signature">        config setup<br>
          <br>
                  charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3,
          cfg 3, knl 3"<br>
                  strictcrlpolicy=no<br>
                  uniqueids=no<br>
          conn %default<br>
          conn tunnel #<br>
                 left=%any<br>
                 #right=192.168.10.40<br>
                 right=182.156.253.59<br>
                 ike=aes256-sha1-modp2048<br>
                 esp=aes256-sha1<br>
                 keyingtries=1<br>
                 keylife=20<br>
                 dpddelay=30s<br>
                 dpdtimeout=150s<br>
                 dpdaction=restart<br>
                 authby=psk<br>
                 auto=start<br>
                 keyexchange=ikev2<br>
                 type=tunnel<br>
          <br>
          # /etc/ipsec.secrets - strongSwan IPsec secrets file<br>
          : PSK "XXXXXXX"<br>
             <br>
          <br>
          root@Device_BD2009:~# ipsec statusall<br>
          no files found matching '/etc/strongswan.d/*.conf'<br>
          Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49,
          mips):<br>
            uptime: 22 minutes, since Feb 21 14:31:43 2018<br>
            malloc: sbrk 196608, mmap 0, used 157560, free 39048<br>
            worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
          0/0/0/0, scheduled: 5<br>
            loaded plugins: charon aes des rc2 sha1 sha2 md5 random
          nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
          pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac
          hmac curl attr kernel-netlink resolve socket-default stroke
          updown eap-identity eap-md5 xauth-generic<br>
          Listening IP addresses:<br>
            192.168.20.100<br>
            192.168.10.1<br>
            fd70:5f2:3744::1<br>
          Connections:<br>
                tunnel:  %any...X.X.X.X  IKEv2, dpddelay=30s<br>
                tunnel:   local:  uses pre-shared key authentication<br>
                tunnel:   remote: [X.X.X.X] uses pre-shared key
          authentication<br>
                tunnel:   child:  dynamic === dynamic TUNNEL,
          dpdaction=restart<br>
          Security Associations (1 up, 0 connecting):<br>
                tunnel[1]: ESTABLISHED 22 minutes ago,
          192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]<br>
                tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i*
          a8c47adc292f6d3f_r, pre-shared key reauthentication in 2 hours<br>
                tunnel[1]: IKE proposal:
          AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
          <br>
          <br>
          <br>
        </div>
        <div class="moz-cite-prefix">On Tuesday 20 February 2018 09:20
          PM, Jafar Al-Gharaibeh wrote:<br>
        </div>
        <blockquote type="cite"
          cite="mid:0b05814e-e0cc-be6b-0f50-eb58a29fda5f@atcorp.com">
          <meta http-equiv="Content-Type" content="text/html;
            charset=utf-8">
          Sujoy,<br>
          <br>
             It is really hard to help you if don't give us full
          information only sending us one picture at a time. Please use
          test files, they are easier to navigate than screen shots.
          Your last question below is a repeat to a question that I
          answered before.  If you want proper diagnose of the problem
          please send the configuration files,logs, routing table at
          both ends. see 8 at:<br>
          <br>
          <a class="moz-txt-link-freetext"
            href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests"
            moz-do-not-send="true">https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests</a><br>
          <br>
          Make sure to increase the debug level in your ipsec.conf files
          at both ends, something like: <br>
          <br>
          config setup<br>
                 charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3,
          cfg 3, knl 3"<br>
          <br>
          <br>
          Regards,<br>
          Jafar<br>
          <br>
          <br>
          <div class="moz-cite-prefix">On 2/20/2018 8:00 AM, Sujoy
            wrote:<br>
          </div>
          <blockquote type="cite"
            cite="mid:7d5e26aa-bfa5-06b8-f1fa-fed98d8440e3@mindlogicx.com">
            <meta http-equiv="Content-Type" content="text/html;
              charset=utf-8">
            Hi Jafar,<br>
            <br>
            I am able to establish tunnel when I try to connect from LAN
            IP. But with same configuration(Firewall setting) and same
            OS version it failed to establish tunnel with <b>nated
              public IP</b>. <br>
            <br>
            What means parsed "failed to establish CHILD_SA, keeping
            IKE_SA". Please let me know if you have any idea regarding
            this issue. <br>
          </blockquote>
          <br>
        </blockquote>
        <br>
      </blockquote>
      <br>
    </blockquote>
    <br>
  </body>
</html>