[strongSwan] Telnet over a tunnel using Local IP (rather than Public IP)

Anupam Malhotra anupam.malhotra at u2opiamobile.com
Wed Dec 21 07:58:46 CET 2011

Hi Gowrishankar

Thanks for the response. Please note that my ipsec.conf file does not have
"mode" variable. Rather, there is "type" variable which is indeed set to

Below is the output from "ip xfrm state list" (replaced actual IPs with
sample IPs)

src <remote IP: xr.xr.xr.xr> dst <local IP:xl.xl.xl.xl>
        proto esp spi 0xcc42b3c6 reqid 16384 mode tunnel
        replay-window 32 flag 20
        auth md5 0x7e07ea3163a71b1663e373cbafef2b64
        enc des3_ede 0xe267b5f033bc16a72122e8db2bb0f8d6984768cab966e0f6
src <local IP: xl.xl.xl.xl> <remote IP: xr.xr.xr.xr>
        proto esp spi 0x3cded388 reqid 16384 mode tunnel
        replay-window 32 flag 20
        auth md5 0xc7e752a0749271948a18c934b89e91b6
        enc des3_ede 0xc51433eb7f8877802973824615c58cc622623a627de97011

It does not show the public IP anywhere. What could be going wrong?

Best Regards
Anupam Malhotra

-----Original Message-----
From: gowrishankar [mailto:gowrishankar.m at linux.vnet.ibm.com] 
Sent: Wednesday, December 21, 2011 12:08 PM
To: Anupam Malhotra
Cc: users at lists.strongswan.org
Subject: Re: [strongSwan] Telnet over a tunnel using Local IP (rather than
Public IP)

Hi Anupam,
On Wednesday 21 December 2011 10:53 AM, Anupam Malhotra wrote:
> Hi All
> We have successfully established a tunnel from a server hosted in 
> cloud to a remote server. On executing "ipsec status", we can see the 
> "IPsec SA established" message. The cloud server has a local IP (say 
> xl.xl.xl.xl) and we have also assigned a public IP (xp.xp.xp.xp) to 
> this cloud server. The remove server has an IP of say xr.xr.xr.xr. The 
> remote server's firewall allows requests from xp.xp.xp.xp (public IP). 
> Requests from any other IP are blocked in the firewall.
> Now, when we do a telnet or ping to the remote server from the local 
> server, it times out without any response. The reason is that the 
> remote server's firewall sees the request coming from the cloud 
> server's local IP (xl.xl.xl.xl) and the firewall does not allow 
> requests from this IP. The firewall allows only the public IP 
> (xp.xp.xp.xp). Since the tunnel is successfully established, shouldn't 
> the telnet or ping take the public IP (rather than the local IP)?

Did you get a chance to check SAD, using "ip xfrm state list" ??
or can you paste here ?

Next check is in ipsec.conf for variable "mode". If it is transport,
SA will be created in transport mode, for which authentication
(and integrity too) are not provided , i.e remote firewall can easily
drop the local source address as it is in IP header now. So to let SA
cover it with tunnel end point IP, you need to set mode as tunnel.

Please correct me if I am wrong.

Gowri Shankar

> Any help would be really appreciated.
> Best Regards
> Anupam Malhotra
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list