[strongSwan] ssh and http through IPSec
Sujoy
sujoy.b at mindlogicx.com
Fri Mar 9 12:59:13 CET 2018
Hi Noel,
I do appreciate your view, cannot able to pass traffic over the tunnel
after following the Forwarding and Split Tunneling links. Tryied by
enable kernel-libipsec plugin also. Struggling with this issue for more
than a month now.
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Below are the iptables and strongswan configuration details. Thanks for
the help.
root at mlxvpn:~# ifconfig
enp3s0 Link encap:Ethernet HWaddr 00:25:ab:98:12:d5
inet addr:172.25.1.23 Bcast:172.25.255.255 Mask:255.255.0.0
inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:281997 errors:0 dropped:1 overruns:0 frame:0
TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:29640846 (29.6 MB) TX bytes:3714848 (3.7 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:225 errors:0 dropped:0 overruns:0 frame:0
TX packets:225 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:16397 (16.3 KB) TX bytes:16397 (16.3 KB)
root at mlxvpn:~#
root at mlxvpn:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic,
x86_64):
uptime: 3 hours, since Mar 09 13:29:26 2018
malloc: sbrk 2703360, mmap 0, used 553856, free 2149504
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 6
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke vici updown xauth-generic
counters
Listening IP addresses:
172.25.1.23
Connections:
tunnel: %any...%any IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: uses pre-shared key authentication
tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
tunnel[3]: ESTABLISHED 109 minutes ago,
172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40]
tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*,
pre-shared key reauthentication in 61 minutes
tunnel[3]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{5}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
c4116d05_i c29b66f5_o
tunnel{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 20 minutes
tunnel{5}: 10.0.0.1/32 === 192.168.1.40/32
root at mlxvpn:~#
root at mlxvpn:~# iptables-save
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018
*nat
:PREROUTING ACCEPT [41820:3021162]
:INPUT ACCEPT [6196:914229]
:OUTPUT ACCEPT [16:1536]
:POSTROUTING ACCEPT [16:1536]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Fri Mar 9 17:17:25 2018
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018
*mangle
:PREROUTING ACCEPT [90325:7771073]
:INPUT ACCEPT [54531:5654040]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10356:1527995]
:POSTROUTING ACCEPT [10360:1528611]
-A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags
SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
-A FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags
SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Fri Mar 9 17:17:25 2018
root at mlxvpn:~#
root at mlxvpn:~# ip route list table 220
root at mlxvpn:~#
Thanks
On Thursday 08 March 2018 04:07 PM, Noel Kuntze wrote:
> Hi,
>
> Don't answer existing threads if you want to talk about new things. Send a completely new mail to the list, otherwise you get shit like this with different topics under a single thread and that makes it unnecessarily difficult and ugly to handle in mail clients.
> Take a look at the article about help requests[1]. I'm sure you can figure it out by yourself (hint: It's likely your rules in *nat).
>
> Kind regards
>
> Noel
>
> [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>
> On 07.03.2018 12:50, Sujoy wrote:
>> Hi Jafar,
>>
>> I am not getting any output during "*ip route list table 220*" the tunnel is established. And it is not allowing any type of traffic any idea what should be the issue.
>>
>>
>> [root at VPNTEST ~]# ipsec statusall
>> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.0-693.11.6.el7.x86_64, x86_64):
>> uptime: 8 minutes, since Mar 07 17:00:51 2018
>> malloc: sbrk 2568192, mmap 0, used 403312, free 2164880
>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
>> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown xauth-generic
>> Listening IP addresses:
>> 172.25.1.23
>> Connections:
>> tunnel: %any...%any IKEv2, dpddelay=30s
>> tunnel: local: uses pre-shared key authentication
>> tunnel: remote: uses pre-shared key authentication
>> tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
>> Security Associations (1 up, 0 connecting):
>> tunnel[2]: ESTABLISHED 27 seconds ago, 172.25.1.23[X.X.X.X]...106.216.163.71[192.168.10.40]
>> tunnel[2]: IKEv2 SPIs: f8417e08c414c0ee_i a86999948d0d206c_r*, rekeying disabled
>> tunnel[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>> tunnel{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c06d3ac1_i cd4c518b_o
>> tunnel{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
>> tunnel{3}: X.X.X.X/32 === 192.168.10.40/32
>> [root at VPNTEST ~]#
>> [root at VPNTEST ~]#
>> [root at VPNTEST ~]# ip route list table 220
>> [root at VPNTEST ~]#
>>
>>
>> [root at VPNTEST ~]# iptables -L
>> Chain INPUT (policy ACCEPT)
>> target prot opt source destination
>> ACCEPT udp -- anywhere anywhere udp dpt:isakmp
>> ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
>> ACCEPT esp -- anywhere anywhere
>>
>> Chain FORWARD (policy ACCEPT)
>> target prot opt source destination
>>
>> Chain OUTPUT (policy ACCEPT)
>> target prot opt source destination
>> [root at VPNTEST ~]#
>>
>>
>>
>> Thanks
>>
>> On Tuesday 06 March 2018 10:46 AM, Sujoy wrote:
>>> Hi Jafar,
>>>
>>> Thanks for the information. The ping is stopped as soon as the tunnel is established to the right IP of the client. I cannot ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP address where the tunnel terminates.
>>>
>>>
>>> Server configuration
>>>
>>> config setup
>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3"
>>> strictcrlpolicy=no
>>> uniqueids=no
>>> conn %default
>>> conn tunnel #
>>> left=%any
>>> leftsubnet=0.0.0.0/0
>>> right=%any
>>> rightsubnet=0.0.0.0/0
>>> ike=aes256-sha1-modp2048
>>> esp=aes256-sha1
>>> keyingtries=1
>>> keylife=20
>>> dpddelay=30s
>>> dpdtimeout=150s
>>> dpdaction=restart
>>> authby=psk
>>> auto=start
>>> keyexchange=ikev2
>>> type=tunnel
>>> mobike=no
>>>
>>> Client output
>>>
>>> root at Device_BD2009:~# ipsec statusall
>>> no files found matching '/etc/strongswan.d/*.conf'
>>> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
>>> uptime: 25 seconds, since Mar 06 13:00:41 2018
>>> malloc: sbrk 196608, mmap 0, used 163488, free 33120
>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 17
>>> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic
>>> Listening IP addresses:
>>> 192.168.20.100
>>> 192.168.10.1
>>> fd70:5f2:3744::1
>>> Connections:
>>> tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
>>> tunnel: local: uses pre-shared key authentication
>>> tunnel: remote: [X.X.X.X] uses pre-shared key authentication
>>> tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart
>>> Security Associations (1 up, 0 connecting):
>>> tunnel[1]: ESTABLISHED 23 seconds ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
>>> tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r, pre-shared key reauthentication in 2 hours
>>> tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>>> tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c25c0775_i c559455b_o
>>> tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1 pkt, 0s ago), rekeying active
>>> tunnel{21}: 192.168.20.100/32 === X.X.X.X/32
>>>
>>>
>>> Thanks
>>>
>>> On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote:
>>>> Hi Sujoy,
>>>>
>>>> Can you ping the the server's IP address that you want to ssh to ?
>>>> Is that the same IP address where the tunnel terminates: the "right" address on the client side ?
>>>>
>>>> --Jafar
>>>>
>>>>
>>>> On 3/5/2018 12:31 AM, Sujoy wrote:
>>>>> Hi Christopher,
>>>>>
>>>>>
>>>>> Thanks for the response. I want to access the CentOS IPSec server which is the having tunneling enable from other system through SSH.
>>>>> In the mean time other OpenWRT client should also be able cur/wget through the tunnel. Both SSH and http fails while tunnel is established.
>>>>>
>>>>>
>>>>> Tried with the following but doesn't works.
>>>>> https://wiki.strongswan.org/issues/2351
>>>>> https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan
>>>>>
>>>>>
>>>>> Thanks
>>>>> Sujoy
>>>>>
>>>>>
>>>>> On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote:
>>>>>> Hi Sujoy,
>>>>>>
>>>>>> Do you route all traffic through the ipsec tunnel at the moment?
>>>>>>
>>>>>> Or is your goal to access the CentOS sever through ipsec?
>>>>>>
>>>>>> Cheers,
>>>>>>
>>>>>> Christopher
>>>>>>
>>>>>> On Mar 5, 2018 07:05, Sujoy <sujoy.b at mindlogicx.com> wrote:
>>>>>>
>>>>>> Hi Jafar,
>>>>>>
>>>>>> I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks
>>>>>> Sujoy
>>>>>>
>>>>>> On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote:
>>>>>>
>>>>>> Sujoy,
>>>>>>
>>>>>> You have to send me the logs from both ends. It is hard to know what is the problem with no logs.
>>>>>>
>>>>>> --Jafar
>>>>>>
>>>>>> On 2/21/2018 8:58 AM, Sujoy wrote:
>>>>>>
>>>>>> Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available.
>>>>>>
>>>>>>
>>>>>> *Server Config*
>>>>>>
>>>>>> config setup
>>>>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3"
>>>>>> strictcrlpolicy=no
>>>>>> uniqueids=no
>>>>>> conn %default
>>>>>> conn tunnel #
>>>>>> left=%any
>>>>>> right=%any
>>>>>> ike=aes256-sha1-modp2048
>>>>>> esp=aes256-sha1
>>>>>> keyingtries=1
>>>>>> keylife=20
>>>>>> dpddelay=30s
>>>>>> dpdtimeout=150s
>>>>>> dpdaction=restart
>>>>>> authby=psk
>>>>>> auto=start
>>>>>> keyexchange=ikev2
>>>>>> type=tunnel
>>>>>>
>>>>>> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>>>>>> : PSK "XXXXXXX"
>>>>>>
>>>>>>
>>>>>>
>>>>>> [host at VPNTEST ~]# firewall-cmd --list-all
>>>>>> FirewallD is not running
>>>>>> [host at VPNTEST ~]# sestatus
>>>>>> SELinux status: disabled
>>>>>> [host at VPNTEST ~]# iptables -L
>>>>>> Chain INPUT (policy ACCEPT)
>>>>>> target prot opt source destination
>>>>>>
>>>>>> Chain FORWARD (policy ACCEPT)
>>>>>> target prot opt source destination
>>>>>>
>>>>>> Chain OUTPUT (policy ACCEPT)
>>>>>> target prot opt source destination
>>>>>>
>>>>>>
>>>>>>
>>>>>> *Client config and status*
>>>>>>
>>>>>> config setup
>>>>>>
>>>>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3"
>>>>>> strictcrlpolicy=no
>>>>>> uniqueids=no
>>>>>> conn %default
>>>>>> conn tunnel #
>>>>>> left=%any
>>>>>> #right=192.168.10.40
>>>>>> right=182.156.253.59
>>>>>> ike=aes256-sha1-modp2048
>>>>>> esp=aes256-sha1
>>>>>> keyingtries=1
>>>>>> keylife=20
>>>>>> dpddelay=30s
>>>>>> dpdtimeout=150s
>>>>>> dpdaction=restart
>>>>>> authby=psk
>>>>>> auto=start
>>>>>> keyexchange=ikev2
>>>>>> type=tunnel
>>>>>>
>>>>>> # /etc/ipsec.secrets - strongSwan IPsec secrets file
>>>>>> : PSK "XXXXXXX"
>>>>>>
>>>>>>
>>>>>> root at Device_BD2009:~# ipsec statusall
>>>>>> no files found matching '/etc/strongswan.d/*.conf'
>>>>>> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
>>>>>> uptime: 22 minutes, since Feb 21 14:31:43 2018
>>>>>> malloc: sbrk 196608, mmap 0, used 157560, free 39048
>>>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
>>>>>> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic
>>>>>> Listening IP addresses:
>>>>>> 192.168.20.100
>>>>>> 192.168.10.1
>>>>>> fd70:5f2:3744::1
>>>>>> Connections:
>>>>>> tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
>>>>>> tunnel: local: uses pre-shared key authentication
>>>>>> tunnel: remote: [X.X.X.X] uses pre-shared key authentication
>>>>>> tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart
>>>>>> Security Associations (1 up, 0 connecting):
>>>>>> tunnel[1]: ESTABLISHED 22 minutes ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
>>>>>> tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i* a8c47adc292f6d3f_r, pre-shared key reauthentication in 2 hours
>>>>>> tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Tuesday 20 February 2018 09:20 PM, Jafar Al-Gharaibeh wrote:
>>>>>>
>>>>>> Sujoy,
>>>>>>
>>>>>> It is really hard to help you if don't give us full information only sending us one picture at a time. Please use test files, they are easier to navigate than screen shots. Your last question below is a repeat to a question that I answered before. If you want proper diagnose of the problem please send the configuration files,logs, routing table at both ends. see 8 at:
>>>>>>
>>>>>> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
>>>>>>
>>>>>> Make sure to increase the debug level in your ipsec.conf files at both ends, something like:
>>>>>>
>>>>>> config setup
>>>>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3"
>>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Jafar
>>>>>>
>>>>>>
>>>>>> On 2/20/2018 8:00 AM, Sujoy wrote:
>>>>>>
>>>>>> Hi Jafar,
>>>>>>
>>>>>> I am able to establish tunnel when I try to connect from LAN IP. But with same configuration(Firewall setting) and same OS version it failed to establish tunnel with *nated public IP*.
>>>>>>
>>>>>> What means parsed "failed to establish CHILD_SA, keeping IKE_SA". Please let me know if you have any idea regarding this issue.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
More information about the Users
mailing list