<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Hi Jafar,<br>
<br>
Thanks for the information. The ping is stopped as soon as the
tunnel is established to the right IP of the client. I cannot
ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP
address where the tunnel terminates.<br>
<br>
<p><br>
</p>
<p>Server configuration<br>
</p>
<p>config setup<br>
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg
3, knl 3"<br>
strictcrlpolicy=no<br>
uniqueids=no <br>
conn %default<br>
conn tunnel # <br>
left=%any<br>
leftsubnet=0.0.0.0/0<br>
right=%any<br>
rightsubnet=0.0.0.0/0<br>
ike=aes256-sha1-modp2048<br>
esp=aes256-sha1<br>
keyingtries=1<br>
keylife=20<br>
dpddelay=30s<br>
dpdtimeout=150s<br>
dpdaction=restart <br>
authby=psk<br>
auto=start<br>
keyexchange=ikev2<br>
type=tunnel<br>
mobike=no<br>
<br>
</p>
<p>Client output<br>
</p>
<p>root@Device_BD2009:~# ipsec statusall<br>
no files found matching '/etc/strongswan.d/*.conf'<br>
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49,
mips):<br>
uptime: 25 seconds, since Mar 06 13:00:41 2018<br>
malloc: sbrk 196608, mmap 0, used 163488, free 33120<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
0/0/0/0, scheduled: 17<br>
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke updown eap-identity
eap-md5 xauth-generic<br>
Listening IP addresses:<br>
192.168.20.100<br>
192.168.10.1<br>
fd70:5f2:3744::1<br>
Connections:<br>
tunnel: %any...X.X.X.X IKEv2, dpddelay=30s<br>
tunnel: local: uses pre-shared key authentication<br>
tunnel: remote: [X.X.X.X] uses pre-shared key
authentication<br>
tunnel: child: dynamic === X.X.X.X/X TUNNEL,
dpdaction=restart<br>
Security Associations (1 up, 0 connecting):<br>
tunnel[1]: ESTABLISHED 23 seconds ago,
192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]<br>
tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i*
485e938bf49b2110_r, pre-shared key reauthentication in 2 hours<br>
tunnel[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
c25c0775_i c559455b_o<br>
tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o
(1 pkt, 0s ago), rekeying active<br>
tunnel{21}: 192.168.20.100/32 === X.X.X.X/32 <br>
<br>
</p>
<div class="moz-signature"><br>
Thanks<br>
<br>
</div>
<div class="moz-cite-prefix">On Monday 05 March 2018 09:58 PM, Jafar
Al-Gharaibeh wrote:<br>
</div>
<blockquote type="cite"
cite="mid:86125c77-1783-c8f6-3a2c-41f78bf13ae3@atcorp.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Hi Sujoy,<br>
<br>
Can you ping the the server's IP address that you want to ssh to
? <br>
Is that the same IP address where the tunnel terminates: the
"right" address on the client side ?<br>
<br>
--Jafar<br>
<br>
<br>
<div class="moz-cite-prefix">On 3/5/2018 12:31 AM, Sujoy wrote:<br>
</div>
<blockquote type="cite"
cite="mid:6c069fee-1742-2d66-08f3-b0670356c0c3@mindlogicx.com">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
Hi Christopher,<br>
<br>
<br>
Thanks for the response. I want to access the CentOS IPSec
server which is the having tunneling enable from other system
through SSH. <br>
In the mean time other OpenWRT client should also be able
cur/wget through the tunnel. Both SSH and http fails while
tunnel is established. <br>
<br>
<br>
Tried with the following but doesn't works. <br>
<a class="moz-txt-link-freetext"
href="https://wiki.strongswan.org/issues/2351"
moz-do-not-send="true">https://wiki.strongswan.org/issues/2351</a><br>
<a class="moz-txt-link-freetext"
href="https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan"
moz-do-not-send="true">https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan</a><br>
<br>
<br>
Thanks <br>
Sujoy<br>
<div class="moz-signature"><br>
<br>
</div>
<div class="moz-cite-prefix">On Monday 05 March 2018 11:46 AM,
Christopher Bachner wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ee031644-aa02-4704-b5f4-100a77daa781@email.android.com">
<div dir="auto">
<div dir="auto">Hi Sujoy,</div>
<div dir="auto"><br>
</div>
<div dir="auto">Do you route all traffic through the ipsec
tunnel at the moment?</div>
<div dir="auto"><br>
</div>
<div dir="auto">Or is your goal to access the CentOS sever
through ipsec?</div>
<div dir="auto"><br>
</div>
<div dir="auto">Cheers,</div>
<div dir="auto"><br>
</div>
<div dir="auto">Christopher</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mar 5, 2018 07:05, Sujoy <a
class="moz-txt-link-rfc2396E"
href="mailto:sujoy.b@mindlogicx.com"
moz-do-not-send="true"><sujoy.b@mindlogicx.com></a>
wrote:<br type="attribution">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div> Hi Jafar,<br>
<br>
I have successfully establish connection with
tunneling between OpenWRT client and CentOS as
StrongSwan server. Now I am facing one issue. How to
enable ssh and http through IPSec tunnel in
StrongSwan.<br>
<br>
<br>
<div><br>
Thanks <br>
Sujoy<br>
<br>
</div>
<div>On Friday 23 February 2018 09:05 PM, Jafar
Al-Gharaibeh wrote:<br>
</div>
<blockquote> Sujoy,<br>
<br>
You have to send me the logs from both ends. It is
hard to know what is the problem with no logs.<br>
<br>
--Jafar<br>
<br>
<div>On 2/21/2018 8:58 AM, Sujoy wrote:<br>
</div>
<blockquote>
<p>Thanks Jafar, for giving this information.
Please let me know if anything else is required.
The client OS is Openwrt, so no logs are
available. <br>
</p>
<p><br>
</p>
<p><b>Server Config</b></p>
<p>config setup<br>
charondebug="ike 3, net 3, mgr 3, esp 3,
chd 3, dmn 3, cfg 3, knl 3"<br>
strictcrlpolicy=no<br>
uniqueids=no<br>
conn %default<br>
conn tunnel #<br>
left=%any<br>
right=%any<br>
ike=aes256-sha1-modp2048<br>
esp=aes256-sha1<br>
keyingtries=1<br>
keylife=20<br>
dpddelay=30s <br>
dpdtimeout=150s<br>
dpdaction=restart<br>
authby=psk<br>
auto=start<br>
keyexchange=ikev2<br>
type=tunnel<br>
</p>
<p># /etc/ipsec.secrets - strongSwan IPsec secrets
file<br>
: PSK "XXXXXXX"<br>
</p>
<br>
<p><br>
</p>
<p> [host@VPNTEST ~]# firewall-cmd --list-all<br>
FirewallD is not running<br>
[host@VPNTEST ~]# sestatus<br>
SELinux status: disabled<br>
[host@VPNTEST ~]# iptables -L<br>
Chain INPUT (policy ACCEPT)<br>
target prot opt source
destination <br>
<br>
Chain FORWARD (policy ACCEPT)<br>
target prot opt source
destination <br>
<br>
Chain OUTPUT (policy ACCEPT)<br>
target prot opt source
destination <br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><b>Client config and status</b></p>
<div> config setup<br>
<br>
charondebug="ike 3, net 3, mgr 3, esp 3,
chd 3, dmn 3, cfg 3, knl 3"<br>
strictcrlpolicy=no<br>
uniqueids=no<br>
conn %default<br>
conn tunnel #<br>
left=%any<br>
#right=192.168.10.40<br>
right=182.156.253.59<br>
ike=aes256-sha1-modp2048<br>
esp=aes256-sha1<br>
keyingtries=1<br>
keylife=20<br>
dpddelay=30s<br>
dpdtimeout=150s<br>
dpdaction=restart<br>
authby=psk<br>
auto=start<br>
keyexchange=ikev2<br>
type=tunnel<br>
<br>
# /etc/ipsec.secrets - strongSwan IPsec secrets
file<br>
: PSK "XXXXXXX"<br>
<br>
<br>
root@Device_BD2009:~# ipsec statusall<br>
no files found matching
'/etc/strongswan.d/*.conf'<br>
Status of IKE charon daemon (strongSwan 5.3.3,
Linux 3.10.49, mips):<br>
uptime: 22 minutes, since Feb 21 14:31:43 2018<br>
malloc: sbrk 196608, mmap 0, used 157560, free
39048<br>
worker threads: 11 of 16 idle, 5/0/0/0
working, job queue: 0/0/0/0, scheduled: 5<br>
loaded plugins: charon aes des rc2 sha1 sha2
md5 random nonce x509 revocation constraints
pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp xcbc cmac hmac
curl attr kernel-netlink resolve socket-default
stroke updown eap-identity eap-md5 xauth-generic<br>
Listening IP addresses:<br>
192.168.20.100<br>
192.168.10.1<br>
fd70:5f2:3744::1<br>
Connections:<br>
tunnel: %any...X.X.X.X IKEv2,
dpddelay=30s<br>
tunnel: local: uses pre-shared key
authentication<br>
tunnel: remote: [X.X.X.X] uses
pre-shared key authentication<br>
tunnel: child: dynamic === dynamic
TUNNEL, dpdaction=restart<br>
Security Associations (1 up, 0 connecting):<br>
tunnel[1]: ESTABLISHED 22 minutes ago,
192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]<br>
tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i*
a8c47adc292f6d3f_r, pre-shared key
reauthentication in 2 hours<br>
tunnel[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
<br>
<br>
<br>
</div>
<div>On Tuesday 20 February 2018 09:20 PM, Jafar
Al-Gharaibeh wrote:<br>
</div>
<blockquote> Sujoy,<br>
<br>
It is really hard to help you if don't give
us full information only sending us one picture
at a time. Please use test files, they are
easier to navigate than screen shots. Your last
question below is a repeat to a question that I
answered before. If you want proper diagnose of
the problem please send the configuration
files,logs, routing table at both ends. see 8
at:<br>
<br>
<a
href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests"
moz-do-not-send="true">https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests</a><br>
<br>
Make sure to increase the debug level in your
ipsec.conf files at both ends, something like: <br>
<br>
config setup<br>
charondebug="ike 3, net 3, mgr 3, esp 3,
chd 3, dmn 3, cfg 3, knl 3"<br>
<br>
<br>
Regards,<br>
Jafar<br>
<br>
<br>
<div>On 2/20/2018 8:00 AM, Sujoy wrote:<br>
</div>
<blockquote> Hi Jafar,<br>
<br>
I am able to establish tunnel when I try to
connect from LAN IP. But with same
configuration(Firewall setting) and same OS
version it failed to establish tunnel with <b>nated
public IP</b>. <br>
<br>
What means parsed "failed to establish
CHILD_SA, keeping IKE_SA". Please let me know
if you have any idea regarding this issue. <br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>