[strongSwan] road worrior IP - can it also be used by services/daemons to listen onto?
peljasz at yahoo.co.uk
Fri Nov 10 16:20:40 CET 2017
On 10/11/17 14:34, Dirk Hartmann wrote:
> Hi, > > --On Friday, November 10, 2017 02:21:09 PM +0000
lejeczek > <peljasz at yahoo.co.uk> wrote: > >> I've a working
roadwarrior which links up to a server(not mine, >> meaning
- no control over it) and I wonder - can that IP my >>
roadworrior gets other things use? >> >> From that
other(server) end, the network behind the server sees >>
that IP my roadworrior gets, can ping it but, how to make,
eg. >> apache etc, use and serve on that IP? If I do nmap
from server's >> net on my roadwarrior IP it says port is
closed. >> >> Is it something I can do at my end? Which
would be great if >> possible. > > without a firewall either
on your RW or on the Gateway side there is > no reason you
should not be able to reach any port on your RW. > > The
question is, does your service bind itself to your RW-IP. >
> What does netstat report for your apache? > > netstat
-tulpn | grep apache > > Mostly you configure apache in
/etc/apache2/ports.conf on which IPs > it should listen or
if it should listen on all IPs. > > Some services don't bind
to interfaces added after the service > startet, so maybe
you have to restart it after the VPN connection is > up. > >
Apache listens on all port, and I did restart it, same for
sshd. Nmap from behind the gateway says ports are closed,
but not filtered.
My RW is on a box which is my local gateway-to-internet, the
interface/connection strongswan creates when connects to VPN
gateway I put(with use of firewalld) into my external zone,
so it gets masqueraded so other nodes on my local LAN can
get to VPN via my RW - but I do not see this affects
firewall, etc, ports that are opened in exteranal zone(nic
with public IP and RW) as nmap says are not filtered.
I nmap my public IP and is "open" I nmap my RW-IP and is
It all runs off a fedora26, I have
strongswan-libipsec-5.6.0-1.fc26.x86_64 installed - I
understand with it I get ipsec0 interface autocreation which
then I can manage with "regular" OS utils, eg. firewalld - I
thought it was the laziest/quickest way out.
I did think that RW-NIC-IP would be just operational,
manageable as any other iface in the OS, but it seems some
sorcerery is needed, or maybe something trivial?
many thanks, L.
More information about the Users