Re: [strongSwan] ssh and http through IPSec
Hi Noel, I do appreciate your view, cannot able to pass traffic over the tunnel after following the Forwarding and Split Tunneling links. Tryied by enable kernel-libipsec plugin also. Struggling with this issue for more than a month now. https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling Below are the iptables and strongswan configuration details. Thanks for the help. root@mlxvpn:~# ifconfig enp3s0 Link encap:Ethernet HWaddr 00:25:ab:98:12:d5 inet addr:172.25.1.23 Bcast:172.25.255.255 Mask:255.255.0.0 inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:281997 errors:0 dropped:1 overruns:0 frame:0 TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:29640846 (29.6 MB) TX bytes:3714848 (3.7 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:225 errors:0 dropped:0 overruns:0 frame:0 TX packets:225 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:16397 (16.3 KB) TX bytes:16397 (16.3 KB) root@mlxvpn:~# root@mlxvpn:~# ipsec statusall Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, x86_64): uptime: 3 hours, since Mar 09 13:29:26 2018 malloc: sbrk 2703360, mmap 0, used 553856, free 2149504 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters Listening IP addresses: 172.25.1.23 Connections: tunnel: %any...%any IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: uses pre-shared key authentication tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear Security Associations (1 up, 0 connecting): tunnel[3]: ESTABLISHED 109 minutes ago, 172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40] tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*, pre-shared key reauthentication in 61 minutes tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{5}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c4116d05_i c29b66f5_o tunnel{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 20 minutes tunnel{5}: 10.0.0.1/32 === 192.168.1.40/32 root@mlxvpn:~# root@mlxvpn:~# iptables-save # Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018 *nat :PREROUTING ACCEPT [41820:3021162] :INPUT ACCEPT [6196:914229] :OUTPUT ACCEPT [16:1536] :POSTROUTING ACCEPT [16:1536] -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT COMMIT # Completed on Fri Mar 9 17:17:25 2018 # Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018 *mangle :PREROUTING ACCEPT [90325:7771073] :INPUT ACCEPT [54531:5654040] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [10356:1527995] :POSTROUTING ACCEPT [10360:1528611] -A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 -A FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 COMMIT # Completed on Fri Mar 9 17:17:25 2018 root@mlxvpn:~# root@mlxvpn:~# ip route list table 220 root@mlxvpn:~# Thanks On Thursday 08 March 2018 04:07 PM, Noel Kuntze wrote: Hi, Don't answer existing threads if you want to talk about new things. Send a completely new mail to the list, otherwise you get shit like this with different topics under a single thread and that makes it unnecessarily difficult and ugly to handle in mail clients. Take a look at the article about help requests[1]. I'm sure you can figure it out by yourself (hint: It's likely your rules in *nat). Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests On 07.03.2018 12:50, Sujoy wrote: Hi Jafar, I am not getting any output during "*ip route list table 220*" the tunnel is established. And it is not allowing any type of traffic any idea what should be the issue. [root@VPNTEST ~]# ipsec statusall Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.0-693.11.6.el7.x86_64, x86_64): uptime: 8 minutes, since Mar 07 17:00:51 2018 malloc: sbrk 2568192, mmap 0, used 403312, free 2164880 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-pr
Re: [strongSwan] ssh and http through IPSec
Hi, Don't answer existing threads if you want to talk about new things. Send a completely new mail to the list, otherwise you get shit like this with different topics under a single thread and that makes it unnecessarily difficult and ugly to handle in mail clients. Take a look at the article about help requests[1]. I'm sure you can figure it out by yourself (hint: It's likely your rules in *nat). Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests On 07.03.2018 12:50, Sujoy wrote: > > Hi Jafar, > > I am not getting any output during "*ip route list table 220*" the tunnel is > established. And it is not allowing any type of traffic any idea what should > be the issue. > > > [root@VPNTEST ~]# ipsec statusall > Status of IKE charon daemon (strongSwan 5.3.3, Linux > 3.10.0-693.11.6.el7.x86_64, x86_64): > uptime: 8 minutes, since Mar 07 17:00:51 2018 > malloc: sbrk 2568192, mmap 0, used 403312, free 2164880 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 3 > loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 > revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem > openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve > socket-default stroke updown xauth-generic > Listening IP addresses: > 172.25.1.23 > Connections: > tunnel: %any...%any IKEv2, dpddelay=30s > tunnel: local: uses pre-shared key authentication > tunnel: remote: uses pre-shared key authentication > tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart > Security Associations (1 up, 0 connecting): > tunnel[2]: ESTABLISHED 27 seconds ago, > 172.25.1.23[X.X.X.X]...106.216.163.71[192.168.10.40] > tunnel[2]: IKEv2 SPIs: f8417e08c414c0ee_i a8648d0d206c_r*, rekeying > disabled > tunnel[2]: IKE proposal: > AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > tunnel{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c06d3ac1_i > cd4c518b_o > tunnel{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > disabled > tunnel{3}: X.X.X.X/32 === 192.168.10.40/32 > [root@VPNTEST ~]# > [root@VPNTEST ~]# > [root@VPNTEST ~]# ip route list table 220 > [root@VPNTEST ~]# > > > [root@VPNTEST ~]# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT udp -- anywhere anywhere udp dpt:isakmp > ACCEPT udp -- anywhere anywhere udp > dpt:ipsec-nat-t > ACCEPT esp -- anywhere anywhere > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > [root@VPNTEST ~]# > > > > Thanks > > On Tuesday 06 March 2018 10:46 AM, Sujoy wrote: >> Hi Jafar, >> >> Thanks for the information. The ping is stopped as soon as the tunnel is >> established to the right IP of the client. I cannot ping/ssh/http(wget/curl) >> to the IPsec VPN server. It is the same IP address where the tunnel >> terminates. >> >> >> Server configuration >> >> config setup >> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" >> strictcrlpolicy=no >> uniqueids=no >> conn %default >> conn tunnel # >> left=%any >> leftsubnet=0.0.0.0/0 >> right=%any >> rightsubnet=0.0.0.0/0 >> ike=aes256-sha1-modp2048 >> esp=aes256-sha1 >> keyingtries=1 >> keylife=20 >> dpddelay=30s >> dpdtimeout=150s >> dpdaction=restart >> authby=psk >> auto=start >> keyexchange=ikev2 >> type=tunnel >> mobike=no >> >> Client output >> >> root@Device_BD2009:~# ipsec statusall >> no files found matching '/etc/strongswan.d/*.conf' >> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): >> uptime: 25 seconds, since Mar 06 13:00:41 2018 >> malloc: sbrk 196608, mmap 0, used 163488, free 33120 >> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 17 >> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 >> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem >> openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve >> socket-default stroke updown eap-identity eap-md5 xauth-generic >> Listening IP addresses: >> 192.168.20.100 >> 192.168.10.1 >> fd70:5f2:3744::1 >> Connections: >> tunnel: %any...X.X.X.X IKEv2, dpddelay=30s >> tunnel: local: uses pre-shared key authentication >> tunnel: remote: [X.X.X.X] uses pre-shared key authentication >> tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart >> Security Associations (1 up, 0 connecting): >> tunnel[1]: ESTABLISHED 23 seconds ago, >> 192.168.20.100[192.168.20.100]...X.X.X
Re: [strongSwan] ssh and http through IPSec
Hi Jafar, I am not getting any output during "*ip route list table 220*" the tunnel is established. And it is not allowing any type of traffic any idea what should be the issue. [root@VPNTEST ~]# ipsec statusall Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.0-693.11.6.el7.x86_64, x86_64): uptime: 8 minutes, since Mar 07 17:00:51 2018 malloc: sbrk 2568192, mmap 0, used 403312, free 2164880 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown xauth-generic Listening IP addresses: 172.25.1.23 Connections: tunnel: %any...%any IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: uses pre-shared key authentication tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[2]: ESTABLISHED 27 seconds ago, 172.25.1.23[X.X.X.X]...106.216.163.71[192.168.10.40] tunnel[2]: IKEv2 SPIs: f8417e08c414c0ee_i a8648d0d206c_r*, rekeying disabled tunnel[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c06d3ac1_i cd4c518b_o tunnel{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled tunnel{3}: X.X.X.X/32 === 192.168.10.40/32 [root@VPNTEST ~]# [root@VPNTEST ~]# [root@VPNTEST ~]# ip route list table 220 [root@VPNTEST ~]# [root@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:isakmp ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t ACCEPT esp -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@VPNTEST ~]# Thanks On Tuesday 06 March 2018 10:46 AM, Sujoy wrote: Hi Jafar, Thanks for the information. The ping is stopped as soon as the tunnel is established to the right IP of the client. I cannot ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP address where the tunnel terminates. Server configuration config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any leftsubnet=0.0.0.0/0 right=%any rightsubnet=0.0.0.0/0 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel mobike=no Client output root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 25 seconds, since Mar 06 13:00:41 2018 malloc: sbrk 196608, mmap 0, used 163488, free 33120 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 17 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 23 seconds ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X] tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r, pre-shared key reauthentication in 2 hours tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c25c0775_i c559455b_o tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1 pkt, 0s ago), rekeying active tunnel{21}: 192.168.20.100/32 === X.X.X.X/32 Thanks On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote: Hi Sujoy, Can you ping the the server's IP address that you want to ssh to ? Is that the same IP address where the tunnel terminates: the "right" address on the client side ? --Jafar On 3/5/2018 12:31 AM, Sujoy wrote: Hi Christopher, Thanks for the response. I want to access the CentOS IPSec server which i
Re: [strongSwan] ssh and http through IPSec
Hi Jafar, Thanks for the information. The ping is stopped as soon as the tunnel is established to the right IP of the client. I cannot ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP address where the tunnel terminates. Server configuration config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any leftsubnet=0.0.0.0/0 right=%any rightsubnet=0.0.0.0/0 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel mobike=no Client output root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 25 seconds, since Mar 06 13:00:41 2018 malloc: sbrk 196608, mmap 0, used 163488, free 33120 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 17 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 23 seconds ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X] tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r, pre-shared key reauthentication in 2 hours tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c25c0775_i c559455b_o tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1 pkt, 0s ago), rekeying active tunnel{21}: 192.168.20.100/32 === X.X.X.X/32 Thanks On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote: Hi Sujoy, Can you ping the the server's IP address that you want to ssh to ? Is that the same IP address where the tunnel terminates: the "right" address on the client side ? --Jafar On 3/5/2018 12:31 AM, Sujoy wrote: Hi Christopher, Thanks for the response. I want to access the CentOS IPSec server which is the having tunneling enable from other system through SSH. In the mean time other OpenWRT client should also be able cur/wget through the tunnel. Both SSH and http fails while tunnel is established. Tried with the following but doesn't works. https://wiki.strongswan.org/issues/2351 https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan Thanks Sujoy On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote: Hi Sujoy, Do you route all traffic through the ipsec tunnel at the moment? Or is your goal to access the CentOS sever through ipsec? Cheers, Christopher On Mar 5, 2018 07:05, Sujoy wrote: Hi Jafar, I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan. Thanks Sujoy On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: Sujoy, You have to send me the logs from both ends. It is hard to know what is the problem with no logs. --Jafar On 2/21/2018 8:58 AM, Sujoy wrote: Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available. *Server Config* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any right=%any ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" [host@VPNTEST ~]# firewall-cmd --list-all FirewallD is not running
Re: [strongSwan] ssh and http through IPSec
Hi Sujoy, Can you ping the the server's IP address that you want to ssh to ? Is that the same IP address where the tunnel terminates: the "right" address on the client side ? --Jafar On 3/5/2018 12:31 AM, Sujoy wrote: Hi Christopher, Thanks for the response. I want to access the CentOS IPSec server which is the having tunneling enable from other system through SSH. In the mean time other OpenWRT client should also be able cur/wget through the tunnel. Both SSH and http fails while tunnel is established. Tried with the following but doesn't works. https://wiki.strongswan.org/issues/2351 https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan Thanks Sujoy On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote: Hi Sujoy, Do you route all traffic through the ipsec tunnel at the moment? Or is your goal to access the CentOS sever through ipsec? Cheers, Christopher On Mar 5, 2018 07:05, Sujoy wrote: Hi Jafar, I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan. Thanks Sujoy On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: Sujoy, You have to send me the logs from both ends. It is hard to know what is the problem with no logs. --Jafar On 2/21/2018 8:58 AM, Sujoy wrote: Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available. *Server Config* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any right=%any ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" [host@VPNTEST ~]# firewall-cmd --list-all FirewallD is not running [host@VPNTEST ~]# sestatus SELinux status: disabled [host@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination *Client config and status* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any #right=192.168.10.40 right=182.156.253.59 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 22 minutes, since Feb 21 14:31:43 2018 malloc: sbrk 196608, mmap 0, used 157560, free 39048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-s
Re: [strongSwan] ssh and http through IPSec
Hi Christopher, Thanks for the response. I want to access the CentOS IPSec server which is the having tunneling enable from other system through SSH. In the mean time other OpenWRT client should also be able cur/wget through the tunnel. Both SSH and http fails while tunnel is established. Tried with the following but doesn't works. https://wiki.strongswan.org/issues/2351 https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan Thanks Sujoy On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote: Hi Sujoy, Do you route all traffic through the ipsec tunnel at the moment? Or is your goal to access the CentOS sever through ipsec? Cheers, Christopher On Mar 5, 2018 07:05, Sujoy wrote: Hi Jafar, I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan. Thanks Sujoy On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: Sujoy, You have to send me the logs from both ends. It is hard to know what is the problem with no logs. --Jafar On 2/21/2018 8:58 AM, Sujoy wrote: Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available. *Server Config* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any right=%any ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" [host@VPNTEST ~]# firewall-cmd --list-all FirewallD is not running [host@VPNTEST ~]# sestatus SELinux status: disabled [host@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination *Client config and status* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any #right=192.168.10.40 right=182.156.253.59 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 22 minutes, since Feb 21 14:31:43 2018 malloc: sbrk 196608, mmap 0, used 157560, free 39048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 22 minutes ag
Re: [strongSwan] ssh and http through IPSec
Hi Sujoy,Do you route all traffic through the ipsec tunnel at the moment?Or is your goal to access the CentOS sever through ipsec?Cheers,ChristopherOn Mar 5, 2018 07:05, Sujoy wrote: Hi Jafar, I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan. Thanks Sujoy On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: Sujoy, You have to send me the logs from both ends. It is hard to know what is the problem with no logs. --Jafar On 2/21/2018 8:58 AM, Sujoy wrote: Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available. Server Config config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any right=%any ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" [host@VPNTEST ~]# firewall-cmd --list-all FirewallD is not running [host@VPNTEST ~]# sestatus SELinux status: disabled [host@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Client config and status config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any #right=192.168.10.40 right=182.156.253.59 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 22 minutes, since Feb 21 14:31:43 2018 malloc: sbrk 196608, mmap 0, used 157560, free 39048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 22 minutes ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X] tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i* a8c47adc292f6d3f_r, pre-shared key reauthentication in 2 hours tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_20