[strongSwan] Telnet over a tunnel using Local IP (rather than Public IP)

Anupam Malhotra anupam.malhotra at u2opiamobile.com
Mon Dec 26 08:31:30 CET 2011 

Hi Thomas

Thanks for the useful insight. In my ipsec.conf file, "left" is indeed set
to my localIP (xl.xl.xl.xl). However, I tried setting that to my public IP
(xp.xp.xp.xp) (keeping all other configurations same). In that case the
tunnel is not coming up. You are right that my peer is not strongswan. Here
is my Ipsec.conf file:

config setup
        charonstart=yes
        #nat_traversal = yes
        nat_traversal = no
        plutostart=yes
        plutodebug=all
        plutostderrlog =/var/log/pluto.log

conn %default
        keyexchange=ikev1
        type=tunnel
        auth=esp
        authby=psk
        auto=start
        ikelifetime=28800
        left=xl.xl.xl.xl
        leftnexthop=%defaultroute


conn umb
        leftsourceip=xl.xl.xl.xl
        leftsubnet=xp.xp.xp.xp/32
        right=<Public IP of peer>
        rightsubnet=<xr.xr.xr.xr>/32
        esp=3des-md5
        ike=3des-md5-modp1024
        pfs=no

Please suggest.

Best Regards
Anupam Malhotra


-----Original Message-----
From: Thomas Egerer [mailto:thomas.egerer at secunet.com] 
Sent: Friday, December 23, 2011 7:13 PM
To: Anupam Malhotra
Cc: 'gowrishankar'; users at lists.strongswan.org
Subject: Re: [strongSwan] Telnet over a tunnel using Local IP (rather than
Public IP)

On 12/23/2011 11:17 AM, Anupam Malhotra wrote:
> Hi Thomas
> 
> The IKE_SA-negotiation is not failing. The tunnel is coming up. Only 
> issue is that the local IP is being seen at the remote end (rather 
> than the public IP).
Your output 'ip x s s' tells me, that your tunnel-endpoint on the local side
of the box running strongswan is your *local* ip-address.
> src <remote IP: xr.xr.xr.xr> dst <local IP:xl.xl.xl.xl> src <local IP: 
> xl.xl.xl.xl> <remote IP: xr.xr.xr.xr>

This is only the case if your config tells strongswan to do so. If your peer
only accepts ESP packets from xp.xp.xp.xp then your tunnel-endpoint (left in
ipsec.conf) is supposed to say so. If that tunnel cannot be created you
should consult the log file. Your peer should have the config modified
appropriately.
Let us look at your ipsec.conf, maybe we can figure it out then.
Your peer is no strongswan, I assume?

Cheers,
Thomas

More information about the Users mailing list