[strongSwan] ssh and http through IPSec
Sujoy
sujoy.b at mindlogicx.com
Wed Mar 7 12:50:56 CET 2018
Hi Jafar,
I am not getting any output during "*ip route list table 220*" the
tunnel is established. And it is not allowing any type of traffic any
idea what should be the issue.
[root at VPNTEST ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux
3.10.0-693.11.6.el7.x86_64, x86_64):
uptime: 8 minutes, since Mar 07 17:00:51 2018
malloc: sbrk 2568192, mmap 0, used 403312, free 2164880
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 3
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve
socket-default stroke updown xauth-generic
Listening IP addresses:
172.25.1.23
Connections:
tunnel: %any...%any IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: uses pre-shared key authentication
tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
tunnel[2]: ESTABLISHED 27 seconds ago,
172.25.1.23[X.X.X.X]...106.216.163.71[192.168.10.40]
tunnel[2]: IKEv2 SPIs: f8417e08c414c0ee_i a86999948d0d206c_r*,
rekeying disabled
tunnel[2]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
c06d3ac1_i cd4c518b_o
tunnel{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying disabled
tunnel{3}: X.X.X.X/32 === 192.168.10.40/32
[root at VPNTEST ~]#
[root at VPNTEST ~]#
[root at VPNTEST ~]# ip route list table 220
[root at VPNTEST ~]#
[root at VPNTEST ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp
dpt:ipsec-nat-t
ACCEPT esp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root at VPNTEST ~]#
Thanks
On Tuesday 06 March 2018 10:46 AM, Sujoy wrote:
> Hi Jafar,
>
> Thanks for the information. The ping is stopped as soon as the
> tunnel is established to the right IP of the client. I cannot
> ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP
> address where the tunnel terminates.
>
>
> Server configuration
>
> config setup
> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3,
> knl 3"
> strictcrlpolicy=no
> uniqueids=no
> conn %default
> conn tunnel #
> left=%any
> leftsubnet=0.0.0.0/0
> right=%any
> rightsubnet=0.0.0.0/0
> ike=aes256-sha1-modp2048
> esp=aes256-sha1
> keyingtries=1
> keylife=20
> dpddelay=30s
> dpdtimeout=150s
> dpdaction=restart
> authby=psk
> auto=start
> keyexchange=ikev2
> type=tunnel
> mobike=no
>
> Client output
>
> root at Device_BD2009:~# ipsec statusall
> no files found matching '/etc/strongswan.d/*.conf'
> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
> uptime: 25 seconds, since Mar 06 13:00:41 2018
> malloc: sbrk 196608, mmap 0, used 163488, free 33120
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 17
> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
> sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr
> kernel-netlink resolve socket-default stroke updown eap-identity
> eap-md5 xauth-generic
> Listening IP addresses:
> 192.168.20.100
> 192.168.10.1
> fd70:5f2:3744::1
> Connections:
> tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
> tunnel: local: uses pre-shared key authentication
> tunnel: remote: [X.X.X.X] uses pre-shared key authentication
> tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart
> Security Associations (1 up, 0 connecting):
> tunnel[1]: ESTABLISHED 23 seconds ago,
> 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
> tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r,
> pre-shared key reauthentication in 2 hours
> tunnel[1]: IKE proposal:
> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
> c25c0775_i c559455b_o
> tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1
> pkt, 0s ago), rekeying active
> tunnel{21}: 192.168.20.100/32 === X.X.X.X/32
>
>
> Thanks
>
> On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote:
>> Hi Sujoy,
>>
>> Can you ping the the server's IP address that you want to ssh to ?
>> Is that the same IP address where the tunnel terminates: the
>> "right" address on the client side ?
>>
>> --Jafar
>>
>>
>> On 3/5/2018 12:31 AM, Sujoy wrote:
>>> Hi Christopher,
>>>
>>>
>>> Thanks for the response. I want to access the CentOS IPSec server
>>> which is the having tunneling enable from other system through SSH.
>>> In the mean time other OpenWRT client should also be able cur/wget
>>> through the tunnel. Both SSH and http fails while tunnel is
>>> established.
>>>
>>>
>>> Tried with the following but doesn't works.
>>> https://wiki.strongswan.org/issues/2351
>>> https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan
>>>
>>>
>>> Thanks
>>> Sujoy
>>>
>>>
>>> On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote:
>>>> Hi Sujoy,
>>>>
>>>> Do you route all traffic through the ipsec tunnel at the moment?
>>>>
>>>> Or is your goal to access the CentOS sever through ipsec?
>>>>
>>>> Cheers,
>>>>
>>>> Christopher
>>>>
>>>> On Mar 5, 2018 07:05, Sujoy <sujoy.b at mindlogicx.com> wrote:
>>>>
>>>> Hi Jafar,
>>>>
>>>> I have successfully establish connection with tunneling
>>>> between OpenWRT client and CentOS as StrongSwan server. Now I
>>>> am facing one issue. How to enable ssh and http through IPSec
>>>> tunnel in StrongSwan.
>>>>
>>>>
>>>>
>>>> Thanks
>>>> Sujoy
>>>>
>>>> On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote:
>>>>
>>>> Sujoy,
>>>>
>>>> You have to send me the logs from both ends. It is hard to
>>>> know what is the problem with no logs.
>>>>
>>>> --Jafar
>>>>
>>>> On 2/21/2018 8:58 AM, Sujoy wrote:
>>>>
>>>> Thanks Jafar, for giving this information. Please let
>>>> me know if anything else is required. The client OS is
>>>> Openwrt, so no logs are available.
>>>>
>>>>
>>>> *Server Config*
>>>>
>>>> config setup
>>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
>>>> dmn 3, cfg 3, knl 3"
>>>> strictcrlpolicy=no
>>>> uniqueids=no
>>>> conn %default
>>>> conn tunnel #
>>>> left=%any
>>>> right=%any
>>>> ike=aes256-sha1-modp2048
>>>> esp=aes256-sha1
>>>> keyingtries=1
>>>> keylife=20
>>>> dpddelay=30s
>>>> dpdtimeout=150s
>>>> dpdaction=restart
>>>> authby=psk
>>>> auto=start
>>>> keyexchange=ikev2
>>>> type=tunnel
>>>>
>>>> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>>>> : PSK "XXXXXXX"
>>>>
>>>>
>>>>
>>>> [host at VPNTEST ~]# firewall-cmd --list-all
>>>> FirewallD is not running
>>>> [host at VPNTEST ~]# sestatus
>>>> SELinux status: disabled
>>>> [host at VPNTEST ~]# iptables -L
>>>> Chain INPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain FORWARD (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>> Chain OUTPUT (policy ACCEPT)
>>>> target prot opt source destination
>>>>
>>>>
>>>>
>>>> *Client config and status*
>>>>
>>>> config setup
>>>>
>>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
>>>> dmn 3, cfg 3, knl 3"
>>>> strictcrlpolicy=no
>>>> uniqueids=no
>>>> conn %default
>>>> conn tunnel #
>>>> left=%any
>>>> #right=192.168.10.40
>>>> right=182.156.253.59
>>>> ike=aes256-sha1-modp2048
>>>> esp=aes256-sha1
>>>> keyingtries=1
>>>> keylife=20
>>>> dpddelay=30s
>>>> dpdtimeout=150s
>>>> dpdaction=restart
>>>> authby=psk
>>>> auto=start
>>>> keyexchange=ikev2
>>>> type=tunnel
>>>>
>>>> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>>>> : PSK "XXXXXXX"
>>>>
>>>>
>>>> root at Device_BD2009:~# ipsec statusall
>>>> no files found matching '/etc/strongswan.d/*.conf'
>>>> Status of IKE charon daemon (strongSwan 5.3.3, Linux
>>>> 3.10.49, mips):
>>>> uptime: 22 minutes, since Feb 21 14:31:43 2018
>>>> malloc: sbrk 196608, mmap 0, used 157560, free 39048
>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job
>>>> queue: 0/0/0/0, scheduled: 5
>>>> loaded plugins: charon aes des rc2 sha1 sha2 md5
>>>> random nonce x509 revocation constraints pubkey pkcs1
>>>> pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
>>>> fips-prf gmp xcbc cmac hmac curl attr kernel-netlink
>>>> resolve socket-default stroke updown eap-identity
>>>> eap-md5 xauth-generic
>>>> Listening IP addresses:
>>>> 192.168.20.100
>>>> 192.168.10.1
>>>> fd70:5f2:3744::1
>>>> Connections:
>>>> tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
>>>> tunnel: local: uses pre-shared key authentication
>>>> tunnel: remote: [X.X.X.X] uses pre-shared key
>>>> authentication
>>>> tunnel: child: dynamic === dynamic TUNNEL,
>>>> dpdaction=restart
>>>> Security Associations (1 up, 0 connecting):
>>>> tunnel[1]: ESTABLISHED 22 minutes ago,
>>>> 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
>>>> tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i*
>>>> a8c47adc292f6d3f_r, pre-shared key reauthentication in
>>>> 2 hours
>>>> tunnel[1]: IKE proposal:
>>>> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>>>>
>>>>
>>>>
>>>> On Tuesday 20 February 2018 09:20 PM, Jafar
>>>> Al-Gharaibeh wrote:
>>>>
>>>> Sujoy,
>>>>
>>>> It is really hard to help you if don't give us
>>>> full information only sending us one picture at a
>>>> time. Please use test files, they are easier to
>>>> navigate than screen shots. Your last question
>>>> below is a repeat to a question that I answered
>>>> before. If you want proper diagnose of the problem
>>>> please send the configuration files,logs, routing
>>>> table at both ends. see 8 at:
>>>>
>>>> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>>>>
>>>> Make sure to increase the debug level in your
>>>> ipsec.conf files at both ends, something like:
>>>>
>>>> config setup
>>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd
>>>> 3, dmn 3, cfg 3, knl 3"
>>>>
>>>>
>>>> Regards,
>>>> Jafar
>>>>
>>>>
>>>> On 2/20/2018 8:00 AM, Sujoy wrote:
>>>>
>>>> Hi Jafar,
>>>>
>>>> I am able to establish tunnel when I try to
>>>> connect from LAN IP. But with same
>>>> configuration(Firewall setting) and same OS
>>>> version it failed to establish tunnel with
>>>> *nated public IP*.
>>>>
>>>> What means parsed "failed to establish
>>>> CHILD_SA, keeping IKE_SA". Please let me know
>>>> if you have any idea regarding this issue.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180307/3f2a8d92/attachment-0001.html>
More information about the Users
mailing list