[strongSwan] Telnet over a tunnel using Local IP (rather than Public IP)

Anupam Malhotra anupam.malhotra at u2opiamobile.com
Tue Dec 27 07:12:20 CET 2011

Thanks to all of you for helping out on this one. The issue was not with the
Strongswan configuration. Rather the remote side had some config issues due
to which this issue was happening. It is working fine now. Thanks again. J


Best Regards

Anupam Malhotra


From: Christ Schlacta [mailto:lists at aarcane.org] 
Sent: Monday, December 26, 2011 2:09 PM
To: Anupam Malhotra
Cc: Thomas Egerer; users at lists.strongswan.org
Subject: Re: [strongSwan] Telnet over a tunnel using Local IP (rather than
Public IP)


If I've missed something, I apologize, but it seems the simple fix is to ssh
into the intermediary server, and from there to telnet to the target server.
Correct me if there's some reason this solution won't work.

ipsec tunnels shouldn't change the source or destination of a TELNET packet
at all.  The original source and destination are still the original source
and destination.  If you want to change that, you need a proxy server

On Sun, Dec 25, 2011 at 11:31 PM, Anupam Malhotra
<anupam.malhotra at u2opiamobile.com> wrote:

Hi Thomas

Thanks for the useful insight. In my ipsec.conf file, "left" is indeed set
to my localIP (xl.xl.xl.xl). However, I tried setting that to my public IP
(xp.xp.xp.xp) (keeping all other configurations same). In that case the
tunnel is not coming up. You are right that my peer is not strongswan. Here
is my Ipsec.conf file:

config setup
       #nat_traversal = yes
       nat_traversal = no
       plutostderrlog =/var/log/pluto.log

conn %default

conn umb
       right=<Public IP of peer>

Please suggest.

Best Regards
Anupam Malhotra

-----Original Message-----

From: Thomas Egerer [mailto:thomas.egerer at secunet.com]
Sent: Friday, December 23, 2011 7:13 PM
To: Anupam Malhotra

Cc: 'gowrishankar'; users at lists.strongswan.org
Subject: Re: [strongSwan] Telnet over a tunnel using Local IP (rather than
Public IP)

On 12/23/2011 11:17 AM, Anupam Malhotra wrote:
> Hi Thomas
> The IKE_SA-negotiation is not failing. The tunnel is coming up. Only
> issue is that the local IP is being seen at the remote end (rather
> than the public IP).
Your output 'ip x s s' tells me, that your tunnel-endpoint on the local side
of the box running strongswan is your *local* ip-address.
> src <remote IP: xr.xr.xr.xr> dst <local IP:xl.xl.xl.xl> src <local IP:
> xl.xl.xl.xl> <remote IP: xr.xr.xr.xr>

This is only the case if your config tells strongswan to do so. If your peer
only accepts ESP packets from xp.xp.xp.xp then your tunnel-endpoint (left in
ipsec.conf) is supposed to say so. If that tunnel cannot be created you
should consult the log file. Your peer should have the config modified
Let us look at your ipsec.conf, maybe we can figure it out then.
Your peer is no strongswan, I assume?


Users mailing list
Users at lists.strongswan.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20111227/8d469f8c/attachment.html>

More information about the Users mailing list