<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hi Jafar,</p>
<p>I am not getting any output during "<b>ip route list table 220</b>"
the tunnel is established. And it is not allowing any type of
traffic any idea what should be the issue. <br>
</p>
<p><br>
</p>
<p>[root@VPNTEST ~]# ipsec statusall<br>
Status of IKE charon daemon (strongSwan 5.3.3, Linux
3.10.0-693.11.6.el7.x86_64, x86_64):<br>
uptime: 8 minutes, since Mar 07 17:00:51 2018<br>
malloc: sbrk 2568192, mmap 0, used 403312, free 2164880<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
0/0/0/0, scheduled: 3<br>
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke updown xauth-generic<br>
Listening IP addresses:<br>
172.25.1.23<br>
Connections:<br>
tunnel: %any...%any IKEv2, dpddelay=30s<br>
tunnel: local: uses pre-shared key authentication<br>
tunnel: remote: uses pre-shared key authentication<br>
tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL,
dpdaction=restart<br>
Security Associations (1 up, 0 connecting):<br>
tunnel[2]: ESTABLISHED 27 seconds ago,
172.25.1.23[X.X.X.X]...106.216.163.71[192.168.10.40]<br>
tunnel[2]: IKEv2 SPIs: f8417e08c414c0ee_i
a86999948d0d206c_r*, rekeying disabled<br>
tunnel[2]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
tunnel{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
c06d3ac1_i cd4c518b_o<br>
tunnel{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying disabled<br>
tunnel{3}: X.X.X.X/32 === 192.168.10.40/32 <br>
[root@VPNTEST ~]# <br>
[root@VPNTEST ~]# <br>
[root@VPNTEST ~]# ip route list table 220<br>
[root@VPNTEST ~]# <br>
</p>
<p><br>
</p>
<p>[root@VPNTEST ~]# iptables -L<br>
Chain INPUT (policy ACCEPT)<br>
target prot opt source destination <br>
ACCEPT udp -- anywhere anywhere udp
dpt:isakmp<br>
ACCEPT udp -- anywhere anywhere udp
dpt:ipsec-nat-t<br>
ACCEPT esp -- anywhere anywhere <br>
<br>
Chain FORWARD (policy ACCEPT)<br>
target prot opt source destination <br>
<br>
Chain OUTPUT (policy ACCEPT)<br>
target prot opt source destination <br>
[root@VPNTEST ~]# <br>
<br>
<br>
</p>
<div class="moz-signature"><br>
Thanks<br>
</div>
<div class="moz-cite-prefix"><br>
On Tuesday 06 March 2018 10:46 AM, Sujoy wrote:<br>
</div>
<blockquote type="cite"
cite="mid:56d0e85b-7464-e058-33d8-c424e7094247@mindlogicx.com">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
Hi Jafar,<br>
<br>
Thanks for the information. The ping is stopped as soon as the
tunnel is established to the right IP of the client. I cannot
ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same
IP address where the tunnel terminates.<br>
<br>
<p><br>
</p>
<p>Server configuration<br>
</p>
<p>config setup<br>
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3,
cfg 3, knl 3"<br>
strictcrlpolicy=no<br>
uniqueids=no <br>
conn %default<br>
conn tunnel # <br>
left=%any<br>
leftsubnet=0.0.0.0/0<br>
right=%any<br>
rightsubnet=0.0.0.0/0<br>
ike=aes256-sha1-modp2048<br>
esp=aes256-sha1<br>
keyingtries=1<br>
keylife=20<br>
dpddelay=30s<br>
dpdtimeout=150s<br>
dpdaction=restart <br>
authby=psk<br>
auto=start<br>
keyexchange=ikev2<br>
type=tunnel<br>
mobike=no<br>
<br>
</p>
<p>Client output<br>
</p>
<p>root@Device_BD2009:~# ipsec statusall<br>
no files found matching '/etc/strongswan.d/*.conf'<br>
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49,
mips):<br>
uptime: 25 seconds, since Mar 06 13:00:41 2018<br>
malloc: sbrk 196608, mmap 0, used 163488, free 33120<br>
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue:
0/0/0/0, scheduled: 17<br>
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp
dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke updown eap-identity
eap-md5 xauth-generic<br>
Listening IP addresses:<br>
192.168.20.100<br>
192.168.10.1<br>
fd70:5f2:3744::1<br>
Connections:<br>
tunnel: %any...X.X.X.X IKEv2, dpddelay=30s<br>
tunnel: local: uses pre-shared key authentication<br>
tunnel: remote: [X.X.X.X] uses pre-shared key
authentication<br>
tunnel: child: dynamic === X.X.X.X/X TUNNEL,
dpdaction=restart<br>
Security Associations (1 up, 0 connecting):<br>
tunnel[1]: ESTABLISHED 23 seconds ago,
192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]<br>
tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i*
485e938bf49b2110_r, pre-shared key reauthentication in 2 hours<br>
tunnel[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
c25c0775_i c559455b_o<br>
tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84
bytes_o (1 pkt, 0s ago), rekeying active<br>
tunnel{21}: 192.168.20.100/32 === X.X.X.X/32 <br>
<br>
</p>
<div class="moz-signature"><br>
Thanks<br>
<br>
</div>
<div class="moz-cite-prefix">On Monday 05 March 2018 09:58 PM,
Jafar Al-Gharaibeh wrote:<br>
</div>
<blockquote type="cite"
cite="mid:86125c77-1783-c8f6-3a2c-41f78bf13ae3@atcorp.com">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
Hi Sujoy,<br>
<br>
Can you ping the the server's IP address that you want to ssh
to ? <br>
Is that the same IP address where the tunnel terminates: the
"right" address on the client side ?<br>
<br>
--Jafar<br>
<br>
<br>
<div class="moz-cite-prefix">On 3/5/2018 12:31 AM, Sujoy wrote:<br>
</div>
<blockquote type="cite"
cite="mid:6c069fee-1742-2d66-08f3-b0670356c0c3@mindlogicx.com">
<meta http-equiv="Content-Type" content="text/html;
charset=utf-8">
Hi Christopher,<br>
<br>
<br>
Thanks for the response. I want to access the CentOS IPSec
server which is the having tunneling enable from other system
through SSH. <br>
In the mean time other OpenWRT client should also be able
cur/wget through the tunnel. Both SSH and http fails while
tunnel is established. <br>
<br>
<br>
Tried with the following but doesn't works. <br>
<a class="moz-txt-link-freetext"
href="https://wiki.strongswan.org/issues/2351"
moz-do-not-send="true">https://wiki.strongswan.org/issues/2351</a><br>
<a class="moz-txt-link-freetext"
href="https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan"
moz-do-not-send="true">https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan</a><br>
<br>
<br>
Thanks <br>
Sujoy<br>
<div class="moz-signature"><br>
<br>
</div>
<div class="moz-cite-prefix">On Monday 05 March 2018 11:46 AM,
Christopher Bachner wrote:<br>
</div>
<blockquote type="cite"
cite="mid:ee031644-aa02-4704-b5f4-100a77daa781@email.android.com">
<div dir="auto">
<div dir="auto">Hi Sujoy,</div>
<div dir="auto"><br>
</div>
<div dir="auto">Do you route all traffic through the ipsec
tunnel at the moment?</div>
<div dir="auto"><br>
</div>
<div dir="auto">Or is your goal to access the CentOS sever
through ipsec?</div>
<div dir="auto"><br>
</div>
<div dir="auto">Cheers,</div>
<div dir="auto"><br>
</div>
<div dir="auto">Christopher</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Mar 5, 2018 07:05, Sujoy <a
class="moz-txt-link-rfc2396E"
href="mailto:sujoy.b@mindlogicx.com"
moz-do-not-send="true"><sujoy.b@mindlogicx.com></a>
wrote:<br type="attribution">
<blockquote class="quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div> Hi Jafar,<br>
<br>
I have successfully establish connection with
tunneling between OpenWRT client and CentOS as
StrongSwan server. Now I am facing one issue. How to
enable ssh and http through IPSec tunnel in
StrongSwan.<br>
<br>
<br>
<div><br>
Thanks <br>
Sujoy<br>
<br>
</div>
<div>On Friday 23 February 2018 09:05 PM, Jafar
Al-Gharaibeh wrote:<br>
</div>
<blockquote> Sujoy,<br>
<br>
You have to send me the logs from both ends. It is
hard to know what is the problem with no logs.<br>
<br>
--Jafar<br>
<br>
<div>On 2/21/2018 8:58 AM, Sujoy wrote:<br>
</div>
<blockquote>
<p>Thanks Jafar, for giving this information.
Please let me know if anything else is
required. The client OS is Openwrt, so no logs
are available. <br>
</p>
<p><br>
</p>
<p><b>Server Config</b></p>
<p>config setup<br>
charondebug="ike 3, net 3, mgr 3, esp
3, chd 3, dmn 3, cfg 3, knl 3"<br>
strictcrlpolicy=no<br>
uniqueids=no<br>
conn %default<br>
conn tunnel #<br>
left=%any<br>
right=%any<br>
ike=aes256-sha1-modp2048<br>
esp=aes256-sha1<br>
keyingtries=1<br>
keylife=20<br>
dpddelay=30s <br>
dpdtimeout=150s<br>
dpdaction=restart<br>
authby=psk<br>
auto=start<br>
keyexchange=ikev2<br>
type=tunnel<br>
</p>
<p># /etc/ipsec.secrets - strongSwan IPsec
secrets file<br>
: PSK "XXXXXXX"<br>
</p>
<br>
<p><br>
</p>
<p> [host@VPNTEST ~]# firewall-cmd --list-all<br>
FirewallD is not running<br>
[host@VPNTEST ~]# sestatus<br>
SELinux status: disabled<br>
[host@VPNTEST ~]# iptables -L<br>
Chain INPUT (policy ACCEPT)<br>
target prot opt source
destination <br>
<br>
Chain FORWARD (policy ACCEPT)<br>
target prot opt source
destination <br>
<br>
Chain OUTPUT (policy ACCEPT)<br>
target prot opt source
destination <br>
</p>
<p><br>
</p>
<p><br>
</p>
<p><b>Client config and status</b></p>
<div> config setup<br>
<br>
charondebug="ike 3, net 3, mgr 3, esp
3, chd 3, dmn 3, cfg 3, knl 3"<br>
strictcrlpolicy=no<br>
uniqueids=no<br>
conn %default<br>
conn tunnel #<br>
left=%any<br>
#right=192.168.10.40<br>
right=182.156.253.59<br>
ike=aes256-sha1-modp2048<br>
esp=aes256-sha1<br>
keyingtries=1<br>
keylife=20<br>
dpddelay=30s<br>
dpdtimeout=150s<br>
dpdaction=restart<br>
authby=psk<br>
auto=start<br>
keyexchange=ikev2<br>
type=tunnel<br>
<br>
# /etc/ipsec.secrets - strongSwan IPsec
secrets file<br>
: PSK "XXXXXXX"<br>
<br>
<br>
root@Device_BD2009:~# ipsec statusall<br>
no files found matching
'/etc/strongswan.d/*.conf'<br>
Status of IKE charon daemon (strongSwan 5.3.3,
Linux 3.10.49, mips):<br>
uptime: 22 minutes, since Feb 21 14:31:43
2018<br>
malloc: sbrk 196608, mmap 0, used 157560,
free 39048<br>
worker threads: 11 of 16 idle, 5/0/0/0
working, job queue: 0/0/0/0, scheduled: 5<br>
loaded plugins: charon aes des rc2 sha1 sha2
md5 random nonce x509 revocation constraints
pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp xcbc cmac hmac
curl attr kernel-netlink resolve
socket-default stroke updown eap-identity
eap-md5 xauth-generic<br>
Listening IP addresses:<br>
192.168.20.100<br>
192.168.10.1<br>
fd70:5f2:3744::1<br>
Connections:<br>
tunnel: %any...X.X.X.X IKEv2,
dpddelay=30s<br>
tunnel: local: uses pre-shared key
authentication<br>
tunnel: remote: [X.X.X.X] uses
pre-shared key authentication<br>
tunnel: child: dynamic === dynamic
TUNNEL, dpdaction=restart<br>
Security Associations (1 up, 0 connecting):<br>
tunnel[1]: ESTABLISHED 22 minutes ago,
192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]<br>
tunnel[1]: IKEv2 SPIs:
031ec8d3758cc169_i* a8c47adc292f6d3f_r,
pre-shared key reauthentication in 2 hours<br>
tunnel[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048<br>
<br>
<br>
<br>
</div>
<div>On Tuesday 20 February 2018 09:20 PM, Jafar
Al-Gharaibeh wrote:<br>
</div>
<blockquote> Sujoy,<br>
<br>
It is really hard to help you if don't give
us full information only sending us one
picture at a time. Please use test files, they
are easier to navigate than screen shots. Your
last question below is a repeat to a question
that I answered before. If you want proper
diagnose of the problem please send the
configuration files,logs, routing table at
both ends. see 8 at:<br>
<br>
<a
href="https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests"
moz-do-not-send="true">https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests</a><br>
<br>
Make sure to increase the debug level in your
ipsec.conf files at both ends, something like:
<br>
<br>
config setup<br>
charondebug="ike 3, net 3, mgr 3, esp
3, chd 3, dmn 3, cfg 3, knl 3"<br>
<br>
<br>
Regards,<br>
Jafar<br>
<br>
<br>
<div>On 2/20/2018 8:00 AM, Sujoy wrote:<br>
</div>
<blockquote> Hi Jafar,<br>
<br>
I am able to establish tunnel when I try to
connect from LAN IP. But with same
configuration(Firewall setting) and same OS
version it failed to establish tunnel with <b>nated
public IP</b>. <br>
<br>
What means parsed "failed to establish
CHILD_SA, keeping IKE_SA". Please let me
know if you have any idea regarding this
issue. <br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>