[strongSwan] Telnet over a tunnel using Local IP (rather than Public IP)

Anupam Malhotra anupam.malhotra at u2opiamobile.com
Tue Dec 27 07:12:20 CET 2011 

Thanks to all of you for helping out on this one. The issue was not with the
Strongswan configuration. Rather the remote side had some config issues due
to which this issue was happening. It is working fine now. Thanks again. J

 

Best Regards

Anupam Malhotra

 

From: Christ Schlacta [mailto:lists at aarcane.org] 
Sent: Monday, December 26, 2011 2:09 PM
To: Anupam Malhotra
Cc: Thomas Egerer; users at lists.strongswan.org
Subject: Re: [strongSwan] Telnet over a tunnel using Local IP (rather than
Public IP)

 

If I've missed something, I apologize, but it seems the simple fix is to ssh
into the intermediary server, and from there to telnet to the target server.
Correct me if there's some reason this solution won't work.

ipsec tunnels shouldn't change the source or destination of a TELNET packet
at all.  The original source and destination are still the original source
and destination.  If you want to change that, you need a proxy server
instead.

On Sun, Dec 25, 2011 at 11:31 PM, Anupam Malhotra
<anupam.malhotra at u2opiamobile.com> wrote:

Hi Thomas

Thanks for the useful insight. In my ipsec.conf file, "left" is indeed set
to my localIP (xl.xl.xl.xl). However, I tried setting that to my public IP
(xp.xp.xp.xp) (keeping all other configurations same). In that case the
tunnel is not coming up. You are right that my peer is not strongswan. Here
is my Ipsec.conf file:

config setup
       charonstart=yes
       #nat_traversal = yes
       nat_traversal = no
       plutostart=yes
       plutodebug=all
       plutostderrlog =/var/log/pluto.log

conn %default
       keyexchange=ikev1
       type=tunnel
       auth=esp
       authby=psk
       auto=start
       ikelifetime=28800
       left=xl.xl.xl.xl
       leftnexthop=%defaultroute


conn umb
       leftsourceip=xl.xl.xl.xl
       leftsubnet=xp.xp.xp.xp/32
       right=<Public IP of peer>
       rightsubnet=<xr.xr.xr.xr>/32
       esp=3des-md5
       ike=3des-md5-modp1024
       pfs=no

Please suggest.


Best Regards
Anupam Malhotra


-----Original Message-----

From: Thomas Egerer [mailto:thomas.egerer at secunet.com]
Sent: Friday, December 23, 2011 7:13 PM
To: Anupam Malhotra

Cc: 'gowrishankar'; users at lists.strongswan.org
Subject: Re: [strongSwan] Telnet over a tunnel using Local IP (rather than
Public IP)

On 12/23/2011 11:17 AM, Anupam Malhotra wrote:
> Hi Thomas
>
> The IKE_SA-negotiation is not failing. The tunnel is coming up. Only
> issue is that the local IP is being seen at the remote end (rather
> than the public IP).
Your output 'ip x s s' tells me, that your tunnel-endpoint on the local side
of the box running strongswan is your *local* ip-address.
> src <remote IP: xr.xr.xr.xr> dst <local IP:xl.xl.xl.xl> src <local IP:
> xl.xl.xl.xl> <remote IP: xr.xr.xr.xr>

This is only the case if your config tells strongswan to do so. If your peer
only accepts ESP packets from xp.xp.xp.xp then your tunnel-endpoint (left in
ipsec.conf) is supposed to say so. If that tunnel cannot be created you
should consult the log file. Your peer should have the config modified
appropriately.
Let us look at your ipsec.conf, maybe we can figure it out then.
Your peer is no strongswan, I assume?

Cheers,
Thomas






_______________________________________________
Users mailing list
Users at lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/users

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111227/8d469f8c/attachment.html>

More information about the Users mailing list