[strongSwan] ssh and http through IPSec

Sujoy sujoy.b at mindlogicx.com
Mon Mar 5 07:05:42 CET 2018 

Hi Jafar,

  I have successfully establish connection with tunneling between 
OpenWRT client and CentOS as StrongSwan server. Now I am facing one 
issue. How to enable ssh and http through IPSec tunnel in StrongSwan.



Thanks
Sujoy

On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote:
> Sujoy,
>
> You have to send me the logs from both ends. It is hard to know what 
> is the problem with no logs.
>
> --Jafar
>
> On 2/21/2018 8:58 AM, Sujoy wrote:
>>
>> Thanks Jafar, for giving this information. Please let me know if 
>> anything else is required. The client OS is Openwrt, so no logs are 
>> available.
>>
>>
>> *Server Config*
>>
>> config setup
>>         charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, 
>> knl 3"
>>         strictcrlpolicy=no
>>         uniqueids=no
>> conn %default
>> conn tunnel #
>>        left=%any
>>        right=%any
>>        ike=aes256-sha1-modp2048
>>        esp=aes256-sha1
>>        keyingtries=1
>>        keylife=20
>>        dpddelay=30s
>>        dpdtimeout=150s
>>        dpdaction=restart
>>        authby=psk
>>        auto=start
>>        keyexchange=ikev2
>>        type=tunnel
>>
>> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>> : PSK "XXXXXXX"
>>
>>
>>
>>    [host at VPNTEST ~]# firewall-cmd --list-all
>> FirewallD is not running
>> [host at VPNTEST ~]# sestatus
>> SELinux status:                 disabled
>> [host at VPNTEST ~]# iptables -L
>> Chain INPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target     prot opt source               destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target     prot opt source               destination
>>
>>
>>
>> *Client config and status*
>>
>>         config setup
>>
>>         charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, 
>> knl 3"
>>         strictcrlpolicy=no
>>         uniqueids=no
>> conn %default
>> conn tunnel #
>>        left=%any
>>        #right=192.168.10.40
>>        right=182.156.253.59
>>        ike=aes256-sha1-modp2048
>>        esp=aes256-sha1
>>        keyingtries=1
>>        keylife=20
>>        dpddelay=30s
>>        dpdtimeout=150s
>>        dpdaction=restart
>>        authby=psk
>>        auto=start
>>        keyexchange=ikev2
>>        type=tunnel
>>
>> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>> : PSK "XXXXXXX"
>>
>>
>> root at Device_BD2009:~# ipsec statusall
>> no files found matching '/etc/strongswan.d/*.conf'
>> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
>>   uptime: 22 minutes, since Feb 21 14:31:43 2018
>>   malloc: sbrk 196608, mmap 0, used 157560, free 39048
>>   worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, 
>> scheduled: 5
>>   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 
>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey 
>> sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr 
>> kernel-netlink resolve socket-default stroke updown eap-identity 
>> eap-md5 xauth-generic
>> Listening IP addresses:
>>   192.168.20.100
>>   192.168.10.1
>>   fd70:5f2:3744::1
>> Connections:
>>       tunnel:  %any...X.X.X.X  IKEv2, dpddelay=30s
>>       tunnel:   local:  uses pre-shared key authentication
>>       tunnel:   remote: [X.X.X.X] uses pre-shared key authentication
>>       tunnel:   child:  dynamic === dynamic TUNNEL, dpdaction=restart
>> Security Associations (1 up, 0 connecting):
>>       tunnel[1]: ESTABLISHED 22 minutes ago, 
>> 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
>>       tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i* a8c47adc292f6d3f_r, 
>> pre-shared key reauthentication in 2 hours
>>       tunnel[1]: IKE proposal: 
>> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>>
>>
>>
>> On Tuesday 20 February 2018 09:20 PM, Jafar Al-Gharaibeh wrote:
>>> Sujoy,
>>>
>>>    It is really hard to help you if don't give us full information 
>>> only sending us one picture at a time. Please use test files, they 
>>> are easier to navigate than screen shots. Your last question below 
>>> is a repeat to a question that I answered before.  If you want 
>>> proper diagnose of the problem please send the configuration 
>>> files,logs, routing table at both ends. see 8 at:
>>>
>>> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>>>
>>> Make sure to increase the debug level in your ipsec.conf files at 
>>> both ends, something like:
>>>
>>> config setup
>>>        charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, 
>>> knl 3"
>>>
>>>
>>> Regards,
>>> Jafar
>>>
>>>
>>> On 2/20/2018 8:00 AM, Sujoy wrote:
>>>> Hi Jafar,
>>>>
>>>> I am able to establish tunnel when I try to connect from LAN IP. 
>>>> But with same configuration(Firewall setting) and same OS version 
>>>> it failed to establish tunnel with *nated public IP*.
>>>>
>>>> What means parsed "failed to establish CHILD_SA, keeping IKE_SA". 
>>>> Please let me know if you have any idea regarding this issue.
>>>
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180305/9af9cdab/attachment-0001.html>

More information about the Users mailing list