[strongSwan] road worrior IP - can it also be used by services/daemons to listen onto?

lejeczek peljasz at yahoo.co.uk
Fri Nov 10 16:20:40 CET 2017 


On 10/11/17 14:34, Dirk Hartmann wrote:
> Hi,  > > --On Friday, November 10, 2017 02:21:09 PM +0000 
lejeczek > <peljasz at yahoo.co.uk> wrote: > >> I've a working 
roadwarrior which links up to a server(not mine, >> meaning 
- no control over it) and I wonder - can that IP my >> 
roadworrior gets other things use? >> >> From that 
other(server) end, the network behind the server sees >> 
that IP my roadworrior gets, can ping it but, how to make, 
eg. >> apache etc, use and serve on that IP? If I do nmap 
from server's >> net on my roadwarrior IP it says port is 
closed. >> >> Is it something I can do at my end? Which 
would be great if >> possible. > > without a firewall either 
on your RW or on the Gateway side there is > no reason you 
should not be able to reach any port on your RW. > > The 
question is, does your service bind itself to your RW-IP. > 
 > What does netstat report for your apache? > > netstat 
-tulpn | grep apache > > Mostly you configure apache in 
/etc/apache2/ports.conf on which IPs > it should listen or 
if it should listen on all IPs. > > Some services don't bind 
to interfaces added after the service > startet, so maybe 
you have to restart it after the VPN connection is > up. > > 
 > Dirk
Apache listens on all port, and I did restart it, same for 
sshd. Nmap from behind the gateway says ports are closed, 
but not filtered.

My RW is on a box which is my local gateway-to-internet, the 
interface/connection strongswan creates when connects to VPN 
gateway I put(with use of firewalld) into my external zone, 
so it gets masqueraded so other nodes on my local LAN can 
get to VPN via my RW - but I do not see this affects 
firewall, etc, ports that are opened in exteranal zone(nic 
with public IP and RW) asĀ  nmap says are not filtered.
I nmap my public IP and is "open" I nmap my RW-IP and is 
"closed".

It all runs off a fedora26, I have 
strongswan-libipsec-5.6.0-1.fc26.x86_64 installed - I 
understand with it I get ipsec0 interface autocreation which 
then I can manage with "regular" OS utils, eg. firewalld - I 
thought it was the laziest/quickest way out.

I did think that RW-NIC-IP would be just operational, 
manageable as any other iface in the OS, but it seems some 
sorcerery is needed, or maybe something trivial?

many thanks, L.

More information about the Users mailing list