[strongSwan] road worrior IP - can it also be used by services/daemons to listen onto?

Fri Nov 10 18:47:38 CET 2017

--On 10. November 2017 at 15:20:40 +0000 lejeczek <peljasz at yahoo.co.uk> 
wrote:

>
>
> On 10/11/17 14:34, Dirk Hartmann wrote:
>> Hi,  > > --On Friday, November 10, 2017 02:21:09 PM +0000
> lejeczek > <peljasz at yahoo.co.uk> wrote: > >> I've a working roadwarrior
> which links up to a server(not mine, >> meaning - no control over it) and
> I wonder - can that IP my >> roadworrior gets other things use? >> >>
> From that other(server) end, the network behind the server sees >> that
> IP my roadworrior gets, can ping it but, how to make, eg. >> apache etc,
> use and serve on that IP? If I do nmap from server's >> net on my
> roadwarrior IP it says port is closed. >> >> Is it something I can do at
> my end? Which would be great if >> possible. > > without a firewall
> either on your RW or on the Gateway side there is > no reason you should
> not be able to reach any port on your RW. > > The question is, does your
> service bind itself to your RW-IP. >  > What does netstat report for your
> apache? > > netstat -tulpn | grep apache > > Mostly you configure apache
> in /etc/apache2/ports.conf on which IPs > it should listen or if it
> should listen on all IPs. > > Some services don't bind to interfaces
> added after the service > startet, so maybe you have to restart it after
> the VPN connection is > up. > >  > Dirk
> Apache listens on all port, and I did restart it, same for sshd. Nmap
> from behind the gateway says ports are closed, but not filtered.
>
> My RW is on a box which is my local gateway-to-internet, the
> interface/connection strongswan creates when connects to VPN gateway I
> put(with use of firewalld) into my external zone, so it gets masqueraded
> so other nodes on my local LAN can get to VPN via my RW - but I do not
> see this affects firewall, etc, ports that are opened in exteranal
> zone(nic with public IP and RW) as  nmap says are not filtered.
> I nmap my public IP and is "open" I nmap my RW-IP and is "closed".

IIRC closed means it's either no service there or when using iptables it 
has a reject rule to it instead of a drop-rule.

> It all runs off a fedora26, I have
> strongswan-libipsec-5.6.0-1.fc26.x86_64 installed - I understand with it
> I get ipsec0 interface autocreation which then I can manage with
> "regular" OS utils, eg. firewalld - I thought it was the laziest/quickest
> way out.
>
> I did think that RW-NIC-IP would be just operational, manageable as any
> other iface in the OS, but it seems some sorcerery is needed, or maybe
> something trivial?

Did you try to access the apache from local server via the tunnel-IP?

As I said. In a vanilla setup without firewall there is nothing preventing 
you to reach open ports on either side of the tunnel via the tunnel.

Dirk