[strongSwan] ssh and http through IPSec
Jafar Al-Gharaibeh
jafar at atcorp.com
Mon Mar 5 17:28:32 CET 2018
Hi Sujoy,
Can you ping the the server's IP address that you want to ssh to ?
Is that the same IP address where the tunnel terminates: the "right"
address on the client side ?
--Jafar
On 3/5/2018 12:31 AM, Sujoy wrote:
> Hi Christopher,
>
>
> Thanks for the response. I want to access the CentOS IPSec server
> which is the having tunneling enable from other system through SSH.
> In the mean time other OpenWRT client should also be able cur/wget
> through the tunnel. Both SSH and http fails while tunnel is established.
>
>
> Tried with the following but doesn't works.
> https://wiki.strongswan.org/issues/2351
> https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan
>
>
> Thanks
> Sujoy
>
>
> On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote:
>> Hi Sujoy,
>>
>> Do you route all traffic through the ipsec tunnel at the moment?
>>
>> Or is your goal to access the CentOS sever through ipsec?
>>
>> Cheers,
>>
>> Christopher
>>
>> On Mar 5, 2018 07:05, Sujoy <sujoy.b at mindlogicx.com> wrote:
>>
>> Hi Jafar,
>>
>> I have successfully establish connection with tunneling between
>> OpenWRT client and CentOS as StrongSwan server. Now I am facing
>> one issue. How to enable ssh and http through IPSec tunnel in
>> StrongSwan.
>>
>>
>>
>> Thanks
>> Sujoy
>>
>> On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote:
>>
>> Sujoy,
>>
>> You have to send me the logs from both ends. It is hard to
>> know what is the problem with no logs.
>>
>> --Jafar
>>
>> On 2/21/2018 8:58 AM, Sujoy wrote:
>>
>> Thanks Jafar, for giving this information. Please let me
>> know if anything else is required. The client OS is
>> Openwrt, so no logs are available.
>>
>>
>> *Server Config*
>>
>> config setup
>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
>> dmn 3, cfg 3, knl 3"
>> strictcrlpolicy=no
>> uniqueids=no
>> conn %default
>> conn tunnel #
>> left=%any
>> right=%any
>> ike=aes256-sha1-modp2048
>> esp=aes256-sha1
>> keyingtries=1
>> keylife=20
>> dpddelay=30s
>> dpdtimeout=150s
>> dpdaction=restart
>> authby=psk
>> auto=start
>> keyexchange=ikev2
>> type=tunnel
>>
>> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>> : PSK "XXXXXXX"
>>
>>
>>
>> [host at VPNTEST ~]# firewall-cmd --list-all
>> FirewallD is not running
>> [host at VPNTEST ~]# sestatus
>> SELinux status: disabled
>> [host at VPNTEST ~]# iptables -L
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>>
>>
>>
>> *Client config and status*
>>
>> config setup
>>
>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
>> dmn 3, cfg 3, knl 3"
>> strictcrlpolicy=no
>> uniqueids=no
>> conn %default
>> conn tunnel #
>> left=%any
>> #right=192.168.10.40
>> right=182.156.253.59
>> ike=aes256-sha1-modp2048
>> esp=aes256-sha1
>> keyingtries=1
>> keylife=20
>> dpddelay=30s
>> dpdtimeout=150s
>> dpdaction=restart
>> authby=psk
>> auto=start
>> keyexchange=ikev2
>> type=tunnel
>>
>> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>> : PSK "XXXXXXX"
>>
>>
>> root at Device_BD2009:~# ipsec statusall
>> no files found matching '/etc/strongswan.d/*.conf'
>> Status of IKE charon daemon (strongSwan 5.3.3, Linux
>> 3.10.49, mips):
>> uptime: 22 minutes, since Feb 21 14:31:43 2018
>> malloc: sbrk 196608, mmap 0, used 157560, free 39048
>> worker threads: 11 of 16 idle, 5/0/0/0 working, job
>> queue: 0/0/0/0, scheduled: 5
>> loaded plugins: charon aes des rc2 sha1 sha2 md5 random
>> nonce x509 revocation constraints pubkey pkcs1 pkcs7
>> pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp
>> xcbc cmac hmac curl attr kernel-netlink resolve
>> socket-default stroke updown eap-identity eap-md5
>> xauth-generic
>> Listening IP addresses:
>> 192.168.20.100
>> 192.168.10.1
>> fd70:5f2:3744::1
>> Connections:
>> tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
>> tunnel: local: uses pre-shared key authentication
>> tunnel: remote: [X.X.X.X] uses pre-shared key
>> authentication
>> tunnel: child: dynamic === dynamic TUNNEL,
>> dpdaction=restart
>> Security Associations (1 up, 0 connecting):
>> tunnel[1]: ESTABLISHED 22 minutes ago,
>> 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
>> tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i*
>> a8c47adc292f6d3f_r, pre-shared key reauthentication in 2
>> hours
>> tunnel[1]: IKE proposal:
>> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>>
>>
>>
>> On Tuesday 20 February 2018 09:20 PM, Jafar Al-Gharaibeh
>> wrote:
>>
>> Sujoy,
>>
>> It is really hard to help you if don't give us
>> full information only sending us one picture at a
>> time. Please use test files, they are easier to
>> navigate than screen shots. Your last question below
>> is a repeat to a question that I answered before. If
>> you want proper diagnose of the problem please send
>> the configuration files,logs, routing table at both
>> ends. see 8 at:
>>
>> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>>
>> Make sure to increase the debug level in your
>> ipsec.conf files at both ends, something like:
>>
>> config setup
>> charondebug="ike 3, net 3, mgr 3, esp 3, chd
>> 3, dmn 3, cfg 3, knl 3"
>>
>>
>> Regards,
>> Jafar
>>
>>
>> On 2/20/2018 8:00 AM, Sujoy wrote:
>>
>> Hi Jafar,
>>
>> I am able to establish tunnel when I try to
>> connect from LAN IP. But with same
>> configuration(Firewall setting) and same OS
>> version it failed to establish tunnel with *nated
>> public IP*.
>>
>> What means parsed "failed to establish CHILD_SA,
>> keeping IKE_SA". Please let me know if you have
>> any idea regarding this issue.
>>
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180305/c5de0eaa/attachment.html>
More information about the Users
mailing list