[strongSwan] ssh and http through IPSec
Noel Kuntze
noel.kuntze+strongswan-users-ml at thermi.consulting
Thu Mar 8 11:37:38 CET 2018
Hi,
Don't answer existing threads if you want to talk about new things. Send a completely new mail to the list, otherwise you get shit like this with different topics under a single thread and that makes it unnecessarily difficult and ugly to handle in mail clients.
Take a look at the article about help requests[1]. I'm sure you can figure it out by yourself (hint: It's likely your rules in *nat).
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
On 07.03.2018 12:50, Sujoy wrote:
>
> Hi Jafar,
>
> I am not getting any output during "*ip route list table 220*" the tunnel is established. And it is not allowing any type of traffic any idea what should be the issue.
>
>
> [root at VPNTEST ~]# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.0-693.11.6.el7.x86_64, x86_64):
> uptime: 8 minutes, since Mar 07 17:00:51 2018
> malloc: sbrk 2568192, mmap 0, used 403312, free 2164880
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown xauth-generic
> Listening IP addresses:
> 172.25.1.23
> Connections:
> tunnel: %any...%any IKEv2, dpddelay=30s
> tunnel: local: uses pre-shared key authentication
> tunnel: remote: uses pre-shared key authentication
> tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
> Security Associations (1 up, 0 connecting):
> tunnel[2]: ESTABLISHED 27 seconds ago, 172.25.1.23[X.X.X.X]...106.216.163.71[192.168.10.40]
> tunnel[2]: IKEv2 SPIs: f8417e08c414c0ee_i a86999948d0d206c_r*, rekeying disabled
> tunnel[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> tunnel{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c06d3ac1_i cd4c518b_o
> tunnel{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
> tunnel{3}: X.X.X.X/32 === 192.168.10.40/32
> [root at VPNTEST ~]#
> [root at VPNTEST ~]#
> [root at VPNTEST ~]# ip route list table 220
> [root at VPNTEST ~]#
>
>
> [root at VPNTEST ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp dpt:isakmp
> ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
> ACCEPT esp -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root at VPNTEST ~]#
>
>
>
> Thanks
>
> On Tuesday 06 March 2018 10:46 AM, Sujoy wrote:
>> Hi Jafar,
>>
>> Thanks for the information. The ping is stopped as soon as the tunnel is established to the right IP of the client. I cannot ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP address where the tunnel terminates.
>>
>>
>> Server configuration
>>
>> config setup
>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3"
>> strictcrlpolicy=no
>> uniqueids=no
>> conn %default
>> conn tunnel #
>> left=%any
>> leftsubnet=0.0.0.0/0
>> right=%any
>> rightsubnet=0.0.0.0/0
>> ike=aes256-sha1-modp2048
>> esp=aes256-sha1
>> keyingtries=1
>> keylife=20
>> dpddelay=30s
>> dpdtimeout=150s
>> dpdaction=restart
>> authby=psk
>> auto=start
>> keyexchange=ikev2
>> type=tunnel
>> mobike=no
>>
>> Client output
>>
>> root at Device_BD2009:~# ipsec statusall
>> no files found matching '/etc/strongswan.d/*.conf'
>> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
>> uptime: 25 seconds, since Mar 06 13:00:41 2018
>> malloc: sbrk 196608, mmap 0, used 163488, free 33120
>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 17
>> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic
>> Listening IP addresses:
>> 192.168.20.100
>> 192.168.10.1
>> fd70:5f2:3744::1
>> Connections:
>> tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
>> tunnel: local: uses pre-shared key authentication
>> tunnel: remote: [X.X.X.X] uses pre-shared key authentication
>> tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart
>> Security Associations (1 up, 0 connecting):
>> tunnel[1]: ESTABLISHED 23 seconds ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
>> tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r, pre-shared key reauthentication in 2 hours
>> tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>> tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c25c0775_i c559455b_o
>> tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1 pkt, 0s ago), rekeying active
>> tunnel{21}: 192.168.20.100/32 === X.X.X.X/32
>>
>>
>> Thanks
>>
>> On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote:
>>> Hi Sujoy,
>>>
>>> Can you ping the the server's IP address that you want to ssh to ?
>>> Is that the same IP address where the tunnel terminates: the "right" address on the client side ?
>>>
>>> --Jafar
>>>
>>>
>>> On 3/5/2018 12:31 AM, Sujoy wrote:
>>>> Hi Christopher,
>>>>
>>>>
>>>> Thanks for the response. I want to access the CentOS IPSec server which is the having tunneling enable from other system through SSH.
>>>> In the mean time other OpenWRT client should also be able cur/wget through the tunnel. Both SSH and http fails while tunnel is established.
>>>>
>>>>
>>>> Tried with the following but doesn't works.
>>>> https://wiki.strongswan.org/issues/2351
>>>> https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan
>>>>
>>>>
>>>> Thanks
>>>> Sujoy
>>>>
>>>>
>>>> On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote:
>>>>> Hi Sujoy,
>>>>>
>>>>> Do you route all traffic through the ipsec tunnel at the moment?
>>>>>
>>>>> Or is your goal to access the CentOS sever through ipsec?
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Christopher
>>>>>
>>>>> On Mar 5, 2018 07:05, Sujoy <sujoy.b at mindlogicx.com> wrote:
>>>>>
>>>>> Hi Jafar,
>>>>>
>>>>> I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan.
>>>>>
>>>>>
>>>>>
>>>>> Thanks
>>>>> Sujoy
>>>>>
>>>>> On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote:
>>>>>
>>>>> Sujoy,
>>>>>
>>>>> You have to send me the logs from both ends. It is hard to know what is the problem with no logs.
>>>>>
>>>>> --Jafar
>>>>>
>>>>> On 2/21/2018 8:58 AM, Sujoy wrote:
>>>>>
>>>>> Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available.
>>>>>
>>>>>
>>>>> *Server Config*
>>>>>
>>>>> config setup
>>>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3"
>>>>> strictcrlpolicy=no
>>>>> uniqueids=no
>>>>> conn %default
>>>>> conn tunnel #
>>>>> left=%any
>>>>> right=%any
>>>>> ike=aes256-sha1-modp2048
>>>>> esp=aes256-sha1
>>>>> keyingtries=1
>>>>> keylife=20
>>>>> dpddelay=30s
>>>>> dpdtimeout=150s
>>>>> dpdaction=restart
>>>>> authby=psk
>>>>> auto=start
>>>>> keyexchange=ikev2
>>>>> type=tunnel
>>>>>
>>>>> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>>>>> : PSK "XXXXXXX"
>>>>>
>>>>>
>>>>>
>>>>> [host at VPNTEST ~]# firewall-cmd --list-all
>>>>> FirewallD is not running
>>>>> [host at VPNTEST ~]# sestatus
>>>>> SELinux status: disabled
>>>>> [host at VPNTEST ~]# iptables -L
>>>>> Chain INPUT (policy ACCEPT)
>>>>> target prot opt source destination
>>>>>
>>>>> Chain FORWARD (policy ACCEPT)
>>>>> target prot opt source destination
>>>>>
>>>>> Chain OUTPUT (policy ACCEPT)
>>>>> target prot opt source destination
>>>>>
>>>>>
>>>>>
>>>>> *Client config and status*
>>>>>
>>>>> config setup
>>>>>
>>>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3"
>>>>> strictcrlpolicy=no
>>>>> uniqueids=no
>>>>> conn %default
>>>>> conn tunnel #
>>>>> left=%any
>>>>> #right=192.168.10.40
>>>>> right=182.156.253.59
>>>>> ike=aes256-sha1-modp2048
>>>>> esp=aes256-sha1
>>>>> keyingtries=1
>>>>> keylife=20
>>>>> dpddelay=30s
>>>>> dpdtimeout=150s
>>>>> dpdaction=restart
>>>>> authby=psk
>>>>> auto=start
>>>>> keyexchange=ikev2
>>>>> type=tunnel
>>>>>
>>>>> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>>>>> : PSK "XXXXXXX"
>>>>>
>>>>>
>>>>> root at Device_BD2009:~# ipsec statusall
>>>>> no files found matching '/etc/strongswan.d/*.conf'
>>>>> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
>>>>> uptime: 22 minutes, since Feb 21 14:31:43 2018
>>>>> malloc: sbrk 196608, mmap 0, used 157560, free 39048
>>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
>>>>> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic
>>>>> Listening IP addresses:
>>>>> 192.168.20.100
>>>>> 192.168.10.1
>>>>> fd70:5f2:3744::1
>>>>> Connections:
>>>>> tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
>>>>> tunnel: local: uses pre-shared key authentication
>>>>> tunnel: remote: [X.X.X.X] uses pre-shared key authentication
>>>>> tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart
>>>>> Security Associations (1 up, 0 connecting):
>>>>> tunnel[1]: ESTABLISHED 22 minutes ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
>>>>> tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i* a8c47adc292f6d3f_r, pre-shared key reauthentication in 2 hours
>>>>> tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>>>>>
>>>>>
>>>>>
>>>>> On Tuesday 20 February 2018 09:20 PM, Jafar Al-Gharaibeh wrote:
>>>>>
>>>>> Sujoy,
>>>>>
>>>>> It is really hard to help you if don't give us full information only sending us one picture at a time. Please use test files, they are easier to navigate than screen shots. Your last question below is a repeat to a question that I answered before. If you want proper diagnose of the problem please send the configuration files,logs, routing table at both ends. see 8 at:
>>>>>
>>>>> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>>>>>
>>>>> Make sure to increase the debug level in your ipsec.conf files at both ends, something like:
>>>>>
>>>>> config setup
>>>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3"
>>>>>
>>>>>
>>>>> Regards,
>>>>> Jafar
>>>>>
>>>>>
>>>>> On 2/20/2018 8:00 AM, Sujoy wrote:
>>>>>
>>>>> Hi Jafar,
>>>>>
>>>>> I am able to establish tunnel when I try to connect from LAN IP. But with same configuration(Firewall setting) and same OS version it failed to establish tunnel with *nated public IP*.
>>>>>
>>>>> What means parsed "failed to establish CHILD_SA, keeping IKE_SA". Please let me know if you have any idea regarding this issue.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20180308/0ab52391/attachment-0001.sig>
More information about the Users
mailing list