[strongSwan] ssh and http through IPSec
Sujoy
sujoy.b at mindlogicx.com
Mon Mar 5 07:31:33 CET 2018
Hi Christopher,
Thanks for the response. I want to access the CentOS IPSec server
which is the having tunneling enable from other system through SSH.
In the mean time other OpenWRT client should also be able cur/wget
through the tunnel. Both SSH and http fails while tunnel is established.
Tried with the following but doesn't works.
https://wiki.strongswan.org/issues/2351
https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan
Thanks
Sujoy
On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote:
> Hi Sujoy,
>
> Do you route all traffic through the ipsec tunnel at the moment?
>
> Or is your goal to access the CentOS sever through ipsec?
>
> Cheers,
>
> Christopher
>
> On Mar 5, 2018 07:05, Sujoy <sujoy.b at mindlogicx.com> wrote:
>
> Hi Jafar,
>
> I have successfully establish connection with tunneling between
> OpenWRT client and CentOS as StrongSwan server. Now I am facing
> one issue. How to enable ssh and http through IPSec tunnel in
> StrongSwan.
>
>
>
> Thanks
> Sujoy
>
> On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote:
>
> Sujoy,
>
> You have to send me the logs from both ends. It is hard to
> know what is the problem with no logs.
>
> --Jafar
>
> On 2/21/2018 8:58 AM, Sujoy wrote:
>
> Thanks Jafar, for giving this information. Please let me
> know if anything else is required. The client OS is
> Openwrt, so no logs are available.
>
>
> *Server Config*
>
> config setup
> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
> dmn 3, cfg 3, knl 3"
> strictcrlpolicy=no
> uniqueids=no
> conn %default
> conn tunnel #
> left=%any
> right=%any
> ike=aes256-sha1-modp2048
> esp=aes256-sha1
> keyingtries=1
> keylife=20
> dpddelay=30s
> dpdtimeout=150s
> dpdaction=restart
> authby=psk
> auto=start
> keyexchange=ikev2
> type=tunnel
>
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
> : PSK "XXXXXXX"
>
>
>
> [host at VPNTEST ~]# firewall-cmd --list-all
> FirewallD is not running
> [host at VPNTEST ~]# sestatus
> SELinux status: disabled
> [host at VPNTEST ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
>
>
> *Client config and status*
>
> config setup
>
> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
> dmn 3, cfg 3, knl 3"
> strictcrlpolicy=no
> uniqueids=no
> conn %default
> conn tunnel #
> left=%any
> #right=192.168.10.40
> right=182.156.253.59
> ike=aes256-sha1-modp2048
> esp=aes256-sha1
> keyingtries=1
> keylife=20
> dpddelay=30s
> dpdtimeout=150s
> dpdaction=restart
> authby=psk
> auto=start
> keyexchange=ikev2
> type=tunnel
>
> # /etc/ipsec.secrets - strongSwan IPsec secrets file
> : PSK "XXXXXXX"
>
>
> root at Device_BD2009:~# ipsec statusall
> no files found matching '/etc/strongswan.d/*.conf'
> Status of IKE charon daemon (strongSwan 5.3.3, Linux
> 3.10.49, mips):
> uptime: 22 minutes, since Feb 21 14:31:43 2018
> malloc: sbrk 196608, mmap 0, used 157560, free 39048
> worker threads: 11 of 16 idle, 5/0/0/0 working, job
> queue: 0/0/0/0, scheduled: 5
> loaded plugins: charon aes des rc2 sha1 sha2 md5 random
> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8
> pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc
> cmac hmac curl attr kernel-netlink resolve socket-default
> stroke updown eap-identity eap-md5 xauth-generic
> Listening IP addresses:
> 192.168.20.100
> 192.168.10.1
> fd70:5f2:3744::1
> Connections:
> tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
> tunnel: local: uses pre-shared key authentication
> tunnel: remote: [X.X.X.X] uses pre-shared key
> authentication
> tunnel: child: dynamic === dynamic TUNNEL,
> dpdaction=restart
> Security Associations (1 up, 0 connecting):
> tunnel[1]: ESTABLISHED 22 minutes ago,
> 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
> tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i*
> a8c47adc292f6d3f_r, pre-shared key reauthentication in 2 hours
> tunnel[1]: IKE proposal:
> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>
>
>
> On Tuesday 20 February 2018 09:20 PM, Jafar Al-Gharaibeh
> wrote:
>
> Sujoy,
>
> It is really hard to help you if don't give us full
> information only sending us one picture at a time.
> Please use test files, they are easier to navigate
> than screen shots. Your last question below is a
> repeat to a question that I answered before. If you
> want proper diagnose of the problem please send the
> configuration files,logs, routing table at both ends.
> see 8 at:
>
> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>
> Make sure to increase the debug level in your
> ipsec.conf files at both ends, something like:
>
> config setup
> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
> dmn 3, cfg 3, knl 3"
>
>
> Regards,
> Jafar
>
>
> On 2/20/2018 8:00 AM, Sujoy wrote:
>
> Hi Jafar,
>
> I am able to establish tunnel when I try to
> connect from LAN IP. But with same
> configuration(Firewall setting) and same OS
> version it failed to establish tunnel with *nated
> public IP*.
>
> What means parsed "failed to establish CHILD_SA,
> keeping IKE_SA". Please let me know if you have
> any idea regarding this issue.
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180305/3f07c022/attachment-0001.html>
More information about the Users
mailing list