[strongSwan] Telnet over a tunnel using Local IP (rather than Public IP)

gowrishankar gowrishankar.m at linux.vnet.ibm.com
Wed Dec 21 07:37:52 CET 2011

Hi Anupam,
On Wednesday 21 December 2011 10:53 AM, Anupam Malhotra wrote:
> Hi All
> We have successfully established a tunnel from a server hosted in 
> cloud to a remote server. On executing “ipsec status”, we can see the 
> “IPsec SA established” message. The cloud server has a local IP (say 
> xl.xl.xl.xl) and we have also assigned a public IP (xp.xp.xp.xp) to 
> this cloud server. The remove server has an IP of say xr.xr.xr.xr. The 
> remote server’s firewall allows requests from xp.xp.xp.xp (public IP). 
> Requests from any other IP are blocked in the firewall.
> Now, when we do a telnet or ping to the remote server from the local 
> server, it times out without any response. The reason is that the 
> remote server’s firewall sees the request coming from the cloud 
> server’s local IP (xl.xl.xl.xl) and the firewall does not allow 
> requests from this IP. The firewall allows only the public IP 
> (xp.xp.xp.xp). Since the tunnel is successfully established, shouldn’t 
> the telnet or ping take the public IP (rather than the local IP)?

Did you get a chance to check SAD, using "ip xfrm state list" ??
or can you paste here ?

Next check is in ipsec.conf for variable "mode". If it is transport,
SA will be created in transport mode, for which authentication
(and integrity too) are not provided , i.e remote firewall can easily
drop the local source address as it is in IP header now. So to let SA
cover it with tunnel end point IP, you need to set mode as tunnel.

Please correct me if I am wrong.

Gowri Shankar

> Any help would be really appreciated.
> Best Regards
> Anupam Malhotra
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list