[strongSwan] ssh and http through IPSec
Sujoy
sujoy.b at mindlogicx.com
Tue Mar 6 06:16:29 CET 2018
Hi Jafar,
Thanks for the information. The ping is stopped as soon as the tunnel
is established to the right IP of the client. I cannot
ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP
address where the tunnel terminates.
Server configuration
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3,
knl 3"
strictcrlpolicy=no
uniqueids=no
conn %default
conn tunnel #
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightsubnet=0.0.0.0/0
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=20
dpddelay=30s
dpdtimeout=150s
dpdaction=restart
authby=psk
auto=start
keyexchange=ikev2
type=tunnel
mobike=no
Client output
root at Device_BD2009:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
uptime: 25 seconds, since Mar 06 13:00:41 2018
malloc: sbrk 196608, mmap 0, used 163488, free 33120
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 17
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve
socket-default stroke updown eap-identity eap-md5 xauth-generic
Listening IP addresses:
192.168.20.100
192.168.10.1
fd70:5f2:3744::1
Connections:
tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: [X.X.X.X] uses pre-shared key authentication
tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 23 seconds ago,
192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r,
pre-shared key reauthentication in 2 hours
tunnel[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
c25c0775_i c559455b_o
tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1
pkt, 0s ago), rekeying active
tunnel{21}: 192.168.20.100/32 === X.X.X.X/32
Thanks
On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote:
> Hi Sujoy,
>
> Can you ping the the server's IP address that you want to ssh to ?
> Is that the same IP address where the tunnel terminates: the "right"
> address on the client side ?
>
> --Jafar
>
>
> On 3/5/2018 12:31 AM, Sujoy wrote:
>> Hi Christopher,
>>
>>
>> Thanks for the response. I want to access the CentOS IPSec server
>> which is the having tunneling enable from other system through SSH.
>> In the mean time other OpenWRT client should also be able cur/wget
>> through the tunnel. Both SSH and http fails while tunnel is established.
>>
>>
>> Tried with the following but doesn't works.
>> https://wiki.strongswan.org/issues/2351
>> https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan
>>
>>
>> Thanks
>> Sujoy
>>
>>
>> On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote:
>>> Hi Sujoy,
>>>
>>> Do you route all traffic through the ipsec tunnel at the moment?
>>>
>>> Or is your goal to access the CentOS sever through ipsec?
>>>
>>> Cheers,
>>>
>>> Christopher
>>>
>>> On Mar 5, 2018 07:05, Sujoy <sujoy.b at mindlogicx.com> wrote:
>>>
>>> Hi Jafar,
>>>
>>> I have successfully establish connection with tunneling between
>>> OpenWRT client and CentOS as StrongSwan server. Now I am facing
>>> one issue. How to enable ssh and http through IPSec tunnel in
>>> StrongSwan.
>>>
>>>
>>>
>>> Thanks
>>> Sujoy
>>>
>>> On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote:
>>>
>>> Sujoy,
>>>
>>> You have to send me the logs from both ends. It is hard to
>>> know what is the problem with no logs.
>>>
>>> --Jafar
>>>
>>> On 2/21/2018 8:58 AM, Sujoy wrote:
>>>
>>> Thanks Jafar, for giving this information. Please let me
>>> know if anything else is required. The client OS is
>>> Openwrt, so no logs are available.
>>>
>>>
>>> *Server Config*
>>>
>>> config setup
>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
>>> dmn 3, cfg 3, knl 3"
>>> strictcrlpolicy=no
>>> uniqueids=no
>>> conn %default
>>> conn tunnel #
>>> left=%any
>>> right=%any
>>> ike=aes256-sha1-modp2048
>>> esp=aes256-sha1
>>> keyingtries=1
>>> keylife=20
>>> dpddelay=30s
>>> dpdtimeout=150s
>>> dpdaction=restart
>>> authby=psk
>>> auto=start
>>> keyexchange=ikev2
>>> type=tunnel
>>>
>>> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>>> : PSK "XXXXXXX"
>>>
>>>
>>>
>>> [host at VPNTEST ~]# firewall-cmd --list-all
>>> FirewallD is not running
>>> [host at VPNTEST ~]# sestatus
>>> SELinux status: disabled
>>> [host at VPNTEST ~]# iptables -L
>>> Chain INPUT (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain FORWARD (policy ACCEPT)
>>> target prot opt source destination
>>>
>>> Chain OUTPUT (policy ACCEPT)
>>> target prot opt source destination
>>>
>>>
>>>
>>> *Client config and status*
>>>
>>> config setup
>>>
>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
>>> dmn 3, cfg 3, knl 3"
>>> strictcrlpolicy=no
>>> uniqueids=no
>>> conn %default
>>> conn tunnel #
>>> left=%any
>>> #right=192.168.10.40
>>> right=182.156.253.59
>>> ike=aes256-sha1-modp2048
>>> esp=aes256-sha1
>>> keyingtries=1
>>> keylife=20
>>> dpddelay=30s
>>> dpdtimeout=150s
>>> dpdaction=restart
>>> authby=psk
>>> auto=start
>>> keyexchange=ikev2
>>> type=tunnel
>>>
>>> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>>> : PSK "XXXXXXX"
>>>
>>>
>>> root at Device_BD2009:~# ipsec statusall
>>> no files found matching '/etc/strongswan.d/*.conf'
>>> Status of IKE charon daemon (strongSwan 5.3.3, Linux
>>> 3.10.49, mips):
>>> uptime: 22 minutes, since Feb 21 14:31:43 2018
>>> malloc: sbrk 196608, mmap 0, used 157560, free 39048
>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job
>>> queue: 0/0/0/0, scheduled: 5
>>> loaded plugins: charon aes des rc2 sha1 sha2 md5
>>> random nonce x509 revocation constraints pubkey pkcs1
>>> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
>>> fips-prf gmp xcbc cmac hmac curl attr kernel-netlink
>>> resolve socket-default stroke updown eap-identity
>>> eap-md5 xauth-generic
>>> Listening IP addresses:
>>> 192.168.20.100
>>> 192.168.10.1
>>> fd70:5f2:3744::1
>>> Connections:
>>> tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
>>> tunnel: local: uses pre-shared key authentication
>>> tunnel: remote: [X.X.X.X] uses pre-shared key
>>> authentication
>>> tunnel: child: dynamic === dynamic TUNNEL,
>>> dpdaction=restart
>>> Security Associations (1 up, 0 connecting):
>>> tunnel[1]: ESTABLISHED 22 minutes ago,
>>> 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
>>> tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i*
>>> a8c47adc292f6d3f_r, pre-shared key reauthentication in 2
>>> hours
>>> tunnel[1]: IKE proposal:
>>> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>>>
>>>
>>>
>>> On Tuesday 20 February 2018 09:20 PM, Jafar Al-Gharaibeh
>>> wrote:
>>>
>>> Sujoy,
>>>
>>> It is really hard to help you if don't give us
>>> full information only sending us one picture at a
>>> time. Please use test files, they are easier to
>>> navigate than screen shots. Your last question below
>>> is a repeat to a question that I answered before.
>>> If you want proper diagnose of the problem please
>>> send the configuration files,logs, routing table at
>>> both ends. see 8 at:
>>>
>>> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>>>
>>> Make sure to increase the debug level in your
>>> ipsec.conf files at both ends, something like:
>>>
>>> config setup
>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd
>>> 3, dmn 3, cfg 3, knl 3"
>>>
>>>
>>> Regards,
>>> Jafar
>>>
>>>
>>> On 2/20/2018 8:00 AM, Sujoy wrote:
>>>
>>> Hi Jafar,
>>>
>>> I am able to establish tunnel when I try to
>>> connect from LAN IP. But with same
>>> configuration(Firewall setting) and same OS
>>> version it failed to establish tunnel with
>>> *nated public IP*.
>>>
>>> What means parsed "failed to establish CHILD_SA,
>>> keeping IKE_SA". Please let me know if you have
>>> any idea regarding this issue.
>>>
>>>
>>>
>>>
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180306/a26fe43e/attachment-0001.html>
More information about the Users
mailing list