<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Sujoy,<br>
<br>
Can you ping the the server's IP address that you want to ssh to ?
<br>
Is that the same IP address where the tunnel terminates: the
"right" address on the client side ?<br>
<br>
--Jafar<br>
<br>
<br>
<div class="moz-cite-prefix">On 3/5/2018 12:31 AM, Sujoy wrote:<br>
</div>
<blockquote type="cite"
cite="mid:6c069fee-1742-2d66-08f3-b0670356c0c3@mindlogicx.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Hi Christopher,<br>
<br>
<br>
Thanks for the response. I want to access the CentOS IPSec server
which is the having tunneling enable from other system through
SSH. <br>
In the mean time other OpenWRT client should also be able cur/wget
through the tunnel. Both SSH and http fails while tunnel is
established. <br>
<br>
<br>
Tried with the following but doesn't works. <br>
<a class="moz-txt-link-freetext"
href="https://wiki.strongswan.org/issues/2351"
moz-do-not-send="true">https://wiki.strongswan.org/issues/2351</a><br>
<a class="moz-txt-link-freetext"
href="https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan"
moz-do-not-send="true">https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan</a><br>
<br>
<br>
Thanks <br>
Sujoy<br>
<div class="moz-signature"><br>
<br>
</div>
<div class="moz-cite-prefix">On Monday 05 March 2018 11:46 AM,
Christopher Bachner wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ee031644-aa02-4704-b5f4-100a77daa781@email.android.com">
<div dir="auto">
<div dir="auto">Hi Sujoy,</div>
<div dir="auto"><br>
</div>
<div dir="auto">Do you route all traffic through the ipsec
tunnel at the moment?</div>
<div dir="auto"><br>
</div>
<div dir="auto">Or is your goal to access the CentOS sever
through ipsec?</div>
<div dir="auto"><br>
</div>
<div dir="auto">Cheers,</div>
<div dir="auto"><br>
</div>
<div dir="auto">Christopher</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mar 5, 2018 07:05, Sujoy <a
class="moz-txt-link-rfc2396E"
href="mailto:sujoy.b@mindlogicx.com"
moz-do-not-send="true"><sujoy.b@mindlogicx.com></a>
wrote:<br type="attribution">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div> Hi Jafar,<br>
<br>
I have successfully establish connection with tunneling
between OpenWRT client and CentOS as StrongSwan server.
Now I am facing one issue. How to enable ssh and http
through IPSec tunnel in StrongSwan.<br>
<br>
<br>
<div><br>
Thanks <br>
Sujoy<br>
<br>
</div>
<div>On Friday 23 February 2018 09:05 PM, Jafar
Al-Gharaibeh wrote:<br>
</div>
<blockquote> Sujoy,<br>
<br>
You have to send me the logs from both ends. It is
hard to know what is the problem with no logs.<br>
<br>
--Jafar<br>
<br>
<div>On 2/21/2018 8:58 AM, Sujoy wrote:<br>
</div>
<blockquote>
<p>Thanks Jafar, for giving this information. Please
let me know if anything else is required. The
client OS is Openwrt, so no logs are available. <br>
</p>
<p><br>
</p>
<p><b>Server Config</b></p>
<p>config setup<br>
charondebug="ike 3, net 3, mgr 3, esp 3,
chd 3, dmn 3, cfg 3, knl 3"<br>
strictcrlpolicy=no<br>
uniqueids=no<br>
conn %default<br>
conn tunnel #<br>
left=%any<br>
right=%any<br>
ike=aes256-sha1-modp2048<br>
esp=aes256-sha1<br>
keyingtries=1<br>
keylife=20<br>
dpddelay=30s <br>
dpdtimeout=150s<br>
dpdaction=restart<br>
authby=psk<br>
auto=start<br>
keyexchange=ikev2<br>
type=tunnel<br>
</p>
<p># /etc/ipsec.secrets - strongSwan IPsec secrets
file<br>
: PSK "XXXXXXX"<br>
</p>
<br>
<p><br>
</p>
<p> [host@VPNTEST ~]# firewall-cmd --list-all<br>
FirewallD is not running<br>
[host@VPNTEST ~]# sestatus<br>
SELinux status: disabled<br>
[host@VPNTEST ~]# iptables -L<br>
Chain INPUT (policy ACCEPT)<br>
target prot opt source
destination <br>
<br>
Chain FORWARD (policy ACCEPT)<br>
target prot opt source
destination <br>
<br>
Chain OUTPUT (policy ACCEPT)<br>
target prot opt source
destination <br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><b>Client config and status</b></p>
<div> config setup<br>
<br>
charondebug="ike 3, net 3, mgr 3, esp 3,
chd 3, dmn 3, cfg 3, knl 3"<br>
strictcrlpolicy=no<br>
uniqueids=no<br>
conn %default<br>
conn tunnel #<br>
left=%any<br>
#right=192.168.10.40<br>
right=182.156.253.59<br>
ike=aes256-sha1-modp2048<br>
esp=aes256-sha1<br>
keyingtries=1<br>
keylife=20<br>
dpddelay=30s<br>
dpdtimeout=150s<br>
dpdaction=restart<br>
authby=psk<br>
auto=start<br>
keyexchange=ikev2<br>
type=tunnel<br>
<br>
# /etc/ipsec.secrets - strongSwan IPsec secrets
file<br>
: PSK "XXXXXXX"<br>
<br>
<br>
root@Device_BD2009:~# ipsec statusall<br>
no files found matching '/etc/strongswan.d/*.conf'<br>
Status of IKE charon daemon (strongSwan 5.3.3,
Linux 3.10.49, mips):<br>
uptime: 22 minutes, since Feb 21 14:31:43 2018<br>
malloc: sbrk 196608, mmap 0, used 157560, free
39048<br>
worker threads: 11 of 16 idle, 5/0/0/0 working,
job queue: 0/0/0/0, scheduled: 5<br>
loaded plugins: charon aes des rc2 sha1 sha2 md5
random nonce x509 revocation constraints pubkey
pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-prf gmp xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke
updown eap-identity eap-md5 xauth-generic<br>
Listening IP addresses:<br>
192.168.20.100<br>
192.168.10.1<br>
fd70:5f2:3744::1<br>
Connections:<br>
tunnel: %any...X.X.X.X IKEv2, dpddelay=30s<br>
tunnel: local: uses pre-shared key
authentication<br>
tunnel: remote: [X.X.X.X] uses pre-shared
key authentication<br>
tunnel: child: dynamic === dynamic
TUNNEL, dpdaction=restart<br>
Security Associations (1 up, 0 connecting):<br>
tunnel[1]: ESTABLISHED 22 minutes ago,
192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]<br>
tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i*
a8c47adc292f6d3f_r, pre-shared key
reauthentication in 2 hours<br>
tunnel[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
<br>
<br>
<br>
</div>
<div>On Tuesday 20 February 2018 09:20 PM, Jafar
Al-Gharaibeh wrote:<br>
</div>
<blockquote> Sujoy,<br>
<br>
It is really hard to help you if don't give us
full information only sending us one picture at a
time. Please use test files, they are easier to
navigate than screen shots. Your last question
below is a repeat to a question that I answered
before. If you want proper diagnose of the
problem please send the configuration files,logs,
routing table at both ends. see 8 at:<br>
<br>
<a
href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests"
moz-do-not-send="true">https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests</a><br>
<br>
Make sure to increase the debug level in your
ipsec.conf files at both ends, something like: <br>
<br>
config setup<br>
charondebug="ike 3, net 3, mgr 3, esp 3,
chd 3, dmn 3, cfg 3, knl 3"<br>
<br>
<br>
Regards,<br>
Jafar<br>
<br>
<br>
<div>On 2/20/2018 8:00 AM, Sujoy wrote:<br>
</div>
<blockquote> Hi Jafar,<br>
<br>
I am able to establish tunnel when I try to
connect from LAN IP. But with same
configuration(Firewall setting) and same OS
version it failed to establish tunnel with <b>nated
public IP</b>. <br>
<br>
What means parsed "failed to establish CHILD_SA,
keeping IKE_SA". Please let me know if you have
any idea regarding this issue. <br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>