[strongSwan] Telnet over a tunnel using Local IP (rather than Public IP)
anupam.malhotra at u2opiamobile.com
Wed Dec 21 07:58:46 CET 2011
Thanks for the response. Please note that my ipsec.conf file does not have
"mode" variable. Rather, there is "type" variable which is indeed set to
Below is the output from "ip xfrm state list" (replaced actual IPs with
src <remote IP: xr.xr.xr.xr> dst <local IP:xl.xl.xl.xl>
proto esp spi 0xcc42b3c6 reqid 16384 mode tunnel
replay-window 32 flag 20
auth md5 0x7e07ea3163a71b1663e373cbafef2b64
enc des3_ede 0xe267b5f033bc16a72122e8db2bb0f8d6984768cab966e0f6
src <local IP: xl.xl.xl.xl> <remote IP: xr.xr.xr.xr>
proto esp spi 0x3cded388 reqid 16384 mode tunnel
replay-window 32 flag 20
auth md5 0xc7e752a0749271948a18c934b89e91b6
enc des3_ede 0xc51433eb7f8877802973824615c58cc622623a627de97011
It does not show the public IP anywhere. What could be going wrong?
From: gowrishankar [mailto:gowrishankar.m at linux.vnet.ibm.com]
Sent: Wednesday, December 21, 2011 12:08 PM
To: Anupam Malhotra
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Telnet over a tunnel using Local IP (rather than
On Wednesday 21 December 2011 10:53 AM, Anupam Malhotra wrote:
> Hi All
> We have successfully established a tunnel from a server hosted in
> cloud to a remote server. On executing "ipsec status", we can see the
> "IPsec SA established" message. The cloud server has a local IP (say
> xl.xl.xl.xl) and we have also assigned a public IP (xp.xp.xp.xp) to
> this cloud server. The remove server has an IP of say xr.xr.xr.xr. The
> remote server's firewall allows requests from xp.xp.xp.xp (public IP).
> Requests from any other IP are blocked in the firewall.
> Now, when we do a telnet or ping to the remote server from the local
> server, it times out without any response. The reason is that the
> remote server's firewall sees the request coming from the cloud
> server's local IP (xl.xl.xl.xl) and the firewall does not allow
> requests from this IP. The firewall allows only the public IP
> (xp.xp.xp.xp). Since the tunnel is successfully established, shouldn't
> the telnet or ping take the public IP (rather than the local IP)?
Did you get a chance to check SAD, using "ip xfrm state list" ??
or can you paste here ?
Next check is in ipsec.conf for variable "mode". If it is transport,
SA will be created in transport mode, for which authentication
(and integrity too) are not provided , i.e remote firewall can easily
drop the local source address as it is in IP header now. So to let SA
cover it with tunnel end point IP, you need to set mode as tunnel.
Please correct me if I am wrong.
> Any help would be really appreciated.
> Best Regards
> Anupam Malhotra
> Users mailing list
> Users at lists.strongswan.org
More information about the Users