[strongSwan] Telnet over a tunnel using Local IP (rather than Public IP)
Anupam Malhotra
anupam.malhotra at u2opiamobile.com
Mon Dec 26 08:31:30 CET 2011
Hi Thomas
Thanks for the useful insight. In my ipsec.conf file, "left" is indeed set
to my localIP (xl.xl.xl.xl). However, I tried setting that to my public IP
(xp.xp.xp.xp) (keeping all other configurations same). In that case the
tunnel is not coming up. You are right that my peer is not strongswan. Here
is my Ipsec.conf file:
config setup
charonstart=yes
#nat_traversal = yes
nat_traversal = no
plutostart=yes
plutodebug=all
plutostderrlog =/var/log/pluto.log
conn %default
keyexchange=ikev1
type=tunnel
auth=esp
authby=psk
auto=start
ikelifetime=28800
left=xl.xl.xl.xl
leftnexthop=%defaultroute
conn umb
leftsourceip=xl.xl.xl.xl
leftsubnet=xp.xp.xp.xp/32
right=<Public IP of peer>
rightsubnet=<xr.xr.xr.xr>/32
esp=3des-md5
ike=3des-md5-modp1024
pfs=no
Please suggest.
Best Regards
Anupam Malhotra
-----Original Message-----
From: Thomas Egerer [mailto:thomas.egerer at secunet.com]
Sent: Friday, December 23, 2011 7:13 PM
To: Anupam Malhotra
Cc: 'gowrishankar'; users at lists.strongswan.org
Subject: Re: [strongSwan] Telnet over a tunnel using Local IP (rather than
Public IP)
On 12/23/2011 11:17 AM, Anupam Malhotra wrote:
> Hi Thomas
>
> The IKE_SA-negotiation is not failing. The tunnel is coming up. Only
> issue is that the local IP is being seen at the remote end (rather
> than the public IP).
Your output 'ip x s s' tells me, that your tunnel-endpoint on the local side
of the box running strongswan is your *local* ip-address.
> src <remote IP: xr.xr.xr.xr> dst <local IP:xl.xl.xl.xl> src <local IP:
> xl.xl.xl.xl> <remote IP: xr.xr.xr.xr>
This is only the case if your config tells strongswan to do so. If your peer
only accepts ESP packets from xp.xp.xp.xp then your tunnel-endpoint (left in
ipsec.conf) is supposed to say so. If that tunnel cannot be created you
should consult the log file. Your peer should have the config modified
appropriately.
Let us look at your ipsec.conf, maybe we can figure it out then.
Your peer is no strongswan, I assume?
Cheers,
Thomas
More information about the Users
mailing list