Re: [strongSwan] ssh and http through IPSec
Hi Noel,
I do appreciate your view, cannot able to pass traffic over the tunnel
after following the Forwarding and Split Tunneling links. Tryied by
enable kernel-libipsec plugin also. Struggling with this issue for more
than a month now.
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
Below are the iptables and strongswan configuration details. Thanks for
the help.
root@mlxvpn:~# ifconfig
enp3s0 Link encap:Ethernet HWaddr 00:25:ab:98:12:d5
inet addr:172.25.1.23 Bcast:172.25.255.255 Mask:255.255.0.0
inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:281997 errors:0 dropped:1 overruns:0 frame:0
TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:29640846 (29.6 MB) TX bytes:3714848 (3.7 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:225 errors:0 dropped:0 overruns:0 frame:0
TX packets:225 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:16397 (16.3 KB) TX bytes:16397 (16.3 KB)
root@mlxvpn:~#
root@mlxvpn:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic,
x86_64):
uptime: 3 hours, since Mar 09 13:29:26 2018
malloc: sbrk 2703360, mmap 0, used 553856, free 2149504
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 6
loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce
x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke vici updown xauth-generic
counters
Listening IP addresses:
172.25.1.23
Connections:
tunnel: %any...%any IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: uses pre-shared key authentication
tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
tunnel[3]: ESTABLISHED 109 minutes ago,
172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40]
tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*,
pre-shared key reauthentication in 61 minutes
tunnel[3]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{5}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
c4116d05_i c29b66f5_o
tunnel{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying in 20 minutes
tunnel{5}: 10.0.0.1/32 === 192.168.1.40/32
root@mlxvpn:~#
root@mlxvpn:~# iptables-save
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018
*nat
:PREROUTING ACCEPT [41820:3021162]
:INPUT ACCEPT [6196:914229]
:OUTPUT ACCEPT [16:1536]
:POSTROUTING ACCEPT [16:1536]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Fri Mar 9 17:17:25 2018
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018
*mangle
:PREROUTING ACCEPT [90325:7771073]
:INPUT ACCEPT [54531:5654040]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10356:1527995]
:POSTROUTING ACCEPT [10360:1528611]
-A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags
SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
-A FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags
SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Fri Mar 9 17:17:25 2018
root@mlxvpn:~#
root@mlxvpn:~# ip route list table 220
root@mlxvpn:~#
Thanks
On Thursday 08 March 2018 04:07 PM, Noel Kuntze wrote:
Hi,
Don't answer existing threads if you want to talk about new things. Send a
completely new mail to the list, otherwise you get shit like this with
different topics under a single thread and that makes it unnecessarily
difficult and ugly to handle in mail clients.
Take a look at the article about help requests[1]. I'm sure you can figure it
out by yourself (hint: It's likely your rules in *nat).
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
On 07.03.2018 12:50, Sujoy wrote:
Hi Jafar,
I am not getting any output during "*ip route list table 220*" the tunnel is
established. And it is not allowing any type of traffic any idea what should be the issue.
[root@VPNTEST ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux
3.10.0-693.11.6.el7.x86_64, x86_64):
uptime: 8 minutes, since Mar 07 17:00:51 2018
malloc: sbrk 2568192, mmap 0, used 403312, free 2164880
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 3
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
openssl fips-pr
Re: [strongSwan] ssh and http through IPSec
Hi,
Don't answer existing threads if you want to talk about new things. Send a
completely new mail to the list, otherwise you get shit like this with
different topics under a single thread and that makes it unnecessarily
difficult and ugly to handle in mail clients.
Take a look at the article about help requests[1]. I'm sure you can figure it
out by yourself (hint: It's likely your rules in *nat).
Kind regards
Noel
[1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
On 07.03.2018 12:50, Sujoy wrote:
>
> Hi Jafar,
>
> I am not getting any output during "*ip route list table 220*" the tunnel is
> established. And it is not allowing any type of traffic any idea what should
> be the issue.
>
>
> [root@VPNTEST ~]# ipsec statusall
> Status of IKE charon daemon (strongSwan 5.3.3, Linux
> 3.10.0-693.11.6.el7.x86_64, x86_64):
> uptime: 8 minutes, since Mar 07 17:00:51 2018
> malloc: sbrk 2568192, mmap 0, used 403312, free 2164880
> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
> scheduled: 3
> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
> openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve
> socket-default stroke updown xauth-generic
> Listening IP addresses:
> 172.25.1.23
> Connections:
> tunnel: %any...%any IKEv2, dpddelay=30s
> tunnel: local: uses pre-shared key authentication
> tunnel: remote: uses pre-shared key authentication
> tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
> Security Associations (1 up, 0 connecting):
> tunnel[2]: ESTABLISHED 27 seconds ago,
> 172.25.1.23[X.X.X.X]...106.216.163.71[192.168.10.40]
> tunnel[2]: IKEv2 SPIs: f8417e08c414c0ee_i a8648d0d206c_r*, rekeying
> disabled
> tunnel[2]: IKE proposal:
> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
> tunnel{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c06d3ac1_i
> cd4c518b_o
> tunnel{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying
> disabled
> tunnel{3}: X.X.X.X/32 === 192.168.10.40/32
> [root@VPNTEST ~]#
> [root@VPNTEST ~]#
> [root@VPNTEST ~]# ip route list table 220
> [root@VPNTEST ~]#
>
>
> [root@VPNTEST ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT udp -- anywhere anywhere udp dpt:isakmp
> ACCEPT udp -- anywhere anywhere udp
> dpt:ipsec-nat-t
> ACCEPT esp -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> [root@VPNTEST ~]#
>
>
>
> Thanks
>
> On Tuesday 06 March 2018 10:46 AM, Sujoy wrote:
>> Hi Jafar,
>>
>> Thanks for the information. The ping is stopped as soon as the tunnel is
>> established to the right IP of the client. I cannot ping/ssh/http(wget/curl)
>> to the IPsec VPN server. It is the same IP address where the tunnel
>> terminates.
>>
>>
>> Server configuration
>>
>> config setup
>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3"
>> strictcrlpolicy=no
>> uniqueids=no
>> conn %default
>> conn tunnel #
>> left=%any
>> leftsubnet=0.0.0.0/0
>> right=%any
>> rightsubnet=0.0.0.0/0
>> ike=aes256-sha1-modp2048
>> esp=aes256-sha1
>> keyingtries=1
>> keylife=20
>> dpddelay=30s
>> dpdtimeout=150s
>> dpdaction=restart
>> authby=psk
>> auto=start
>> keyexchange=ikev2
>> type=tunnel
>> mobike=no
>>
>> Client output
>>
>> root@Device_BD2009:~# ipsec statusall
>> no files found matching '/etc/strongswan.d/*.conf'
>> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
>> uptime: 25 seconds, since Mar 06 13:00:41 2018
>> malloc: sbrk 196608, mmap 0, used 163488, free 33120
>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
>> scheduled: 17
>> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
>> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem
>> openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve
>> socket-default stroke updown eap-identity eap-md5 xauth-generic
>> Listening IP addresses:
>> 192.168.20.100
>> 192.168.10.1
>> fd70:5f2:3744::1
>> Connections:
>> tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
>> tunnel: local: uses pre-shared key authentication
>> tunnel: remote: [X.X.X.X] uses pre-shared key authentication
>> tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart
>> Security Associations (1 up, 0 connecting):
>> tunnel[1]: ESTABLISHED 23 seconds ago,
>> 192.168.20.100[192.168.20.100]...X.X.X
Re: [strongSwan] ssh and http through IPSec
Hi Jafar,
I am not getting any output during "*ip route list table 220*" the
tunnel is established. And it is not allowing any type of traffic any
idea what should be the issue.
[root@VPNTEST ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux
3.10.0-693.11.6.el7.x86_64, x86_64):
uptime: 8 minutes, since Mar 07 17:00:51 2018
malloc: sbrk 2568192, mmap 0, used 403312, free 2164880
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 3
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve
socket-default stroke updown xauth-generic
Listening IP addresses:
172.25.1.23
Connections:
tunnel: %any...%any IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: uses pre-shared key authentication
tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
tunnel[2]: ESTABLISHED 27 seconds ago,
172.25.1.23[X.X.X.X]...106.216.163.71[192.168.10.40]
tunnel[2]: IKEv2 SPIs: f8417e08c414c0ee_i a8648d0d206c_r*,
rekeying disabled
tunnel[2]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs:
c06d3ac1_i cd4c518b_o
tunnel{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o,
rekeying disabled
tunnel{3}: X.X.X.X/32 === 192.168.10.40/32
[root@VPNTEST ~]#
[root@VPNTEST ~]#
[root@VPNTEST ~]# ip route list table 220
[root@VPNTEST ~]#
[root@VPNTEST ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp
dpt:ipsec-nat-t
ACCEPT esp -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@VPNTEST ~]#
Thanks
On Tuesday 06 March 2018 10:46 AM, Sujoy wrote:
Hi Jafar,
Thanks for the information. The ping is stopped as soon as the
tunnel is established to the right IP of the client. I cannot
ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP
address where the tunnel terminates.
Server configuration
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3,
knl 3"
strictcrlpolicy=no
uniqueids=no
conn %default
conn tunnel #
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightsubnet=0.0.0.0/0
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=20
dpddelay=30s
dpdtimeout=150s
dpdaction=restart
authby=psk
auto=start
keyexchange=ikev2
type=tunnel
mobike=no
Client output
root@Device_BD2009:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
uptime: 25 seconds, since Mar 06 13:00:41 2018
malloc: sbrk 196608, mmap 0, used 163488, free 33120
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 17
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey
sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr
kernel-netlink resolve socket-default stroke updown eap-identity
eap-md5 xauth-generic
Listening IP addresses:
192.168.20.100
192.168.10.1
fd70:5f2:3744::1
Connections:
tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: [X.X.X.X] uses pre-shared key authentication
tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 23 seconds ago,
192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r,
pre-shared key reauthentication in 2 hours
tunnel[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
c25c0775_i c559455b_o
tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1
pkt, 0s ago), rekeying active
tunnel{21}: 192.168.20.100/32 === X.X.X.X/32
Thanks
On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote:
Hi Sujoy,
Can you ping the the server's IP address that you want to ssh to ?
Is that the same IP address where the tunnel terminates: the
"right" address on the client side ?
--Jafar
On 3/5/2018 12:31 AM, Sujoy wrote:
Hi Christopher,
Thanks for the response. I want to access the CentOS IPSec server
which i
Re: [strongSwan] ssh and http through IPSec
Hi Jafar,
Thanks for the information. The ping is stopped as soon as the tunnel
is established to the right IP of the client. I cannot
ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP
address where the tunnel terminates.
Server configuration
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3,
knl 3"
strictcrlpolicy=no
uniqueids=no
conn %default
conn tunnel #
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightsubnet=0.0.0.0/0
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=20
dpddelay=30s
dpdtimeout=150s
dpdaction=restart
authby=psk
auto=start
keyexchange=ikev2
type=tunnel
mobike=no
Client output
root@Device_BD2009:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
uptime: 25 seconds, since Mar 06 13:00:41 2018
malloc: sbrk 196608, mmap 0, used 163488, free 33120
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 17
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509
revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey
pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve
socket-default stroke updown eap-identity eap-md5 xauth-generic
Listening IP addresses:
192.168.20.100
192.168.10.1
fd70:5f2:3744::1
Connections:
tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: [X.X.X.X] uses pre-shared key authentication
tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 23 seconds ago,
192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r,
pre-shared key reauthentication in 2 hours
tunnel[1]: IKE proposal:
AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs:
c25c0775_i c559455b_o
tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1
pkt, 0s ago), rekeying active
tunnel{21}: 192.168.20.100/32 === X.X.X.X/32
Thanks
On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote:
Hi Sujoy,
Can you ping the the server's IP address that you want to ssh to ?
Is that the same IP address where the tunnel terminates: the "right"
address on the client side ?
--Jafar
On 3/5/2018 12:31 AM, Sujoy wrote:
Hi Christopher,
Thanks for the response. I want to access the CentOS IPSec server
which is the having tunneling enable from other system through SSH.
In the mean time other OpenWRT client should also be able cur/wget
through the tunnel. Both SSH and http fails while tunnel is established.
Tried with the following but doesn't works.
https://wiki.strongswan.org/issues/2351
https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan
Thanks
Sujoy
On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote:
Hi Sujoy,
Do you route all traffic through the ipsec tunnel at the moment?
Or is your goal to access the CentOS sever through ipsec?
Cheers,
Christopher
On Mar 5, 2018 07:05, Sujoy wrote:
Hi Jafar,
I have successfully establish connection with tunneling between
OpenWRT client and CentOS as StrongSwan server. Now I am facing
one issue. How to enable ssh and http through IPSec tunnel in
StrongSwan.
Thanks
Sujoy
On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote:
Sujoy,
You have to send me the logs from both ends. It is hard to
know what is the problem with no logs.
--Jafar
On 2/21/2018 8:58 AM, Sujoy wrote:
Thanks Jafar, for giving this information. Please let me
know if anything else is required. The client OS is
Openwrt, so no logs are available.
*Server Config*
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
dmn 3, cfg 3, knl 3"
strictcrlpolicy=no
uniqueids=no
conn %default
conn tunnel #
left=%any
right=%any
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=20
dpddelay=30s
dpdtimeout=150s
dpdaction=restart
authby=psk
auto=start
keyexchange=ikev2
type=tunnel
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: PSK "XXX"
[host@VPNTEST ~]# firewall-cmd --list-all
FirewallD is not running
Re: [strongSwan] ssh and http through IPSec
Hi Sujoy, Can you ping the the server's IP address that you want to ssh to ? Is that the same IP address where the tunnel terminates: the "right" address on the client side ? --Jafar On 3/5/2018 12:31 AM, Sujoy wrote: Hi Christopher, Thanks for the response. I want to access the CentOS IPSec server which is the having tunneling enable from other system through SSH. In the mean time other OpenWRT client should also be able cur/wget through the tunnel. Both SSH and http fails while tunnel is established. Tried with the following but doesn't works. https://wiki.strongswan.org/issues/2351 https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan Thanks Sujoy On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote: Hi Sujoy, Do you route all traffic through the ipsec tunnel at the moment? Or is your goal to access the CentOS sever through ipsec? Cheers, Christopher On Mar 5, 2018 07:05, Sujoy wrote: Hi Jafar, I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan. Thanks Sujoy On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: Sujoy, You have to send me the logs from both ends. It is hard to know what is the problem with no logs. --Jafar On 2/21/2018 8:58 AM, Sujoy wrote: Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available. *Server Config* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any right=%any ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" [host@VPNTEST ~]# firewall-cmd --list-all FirewallD is not running [host@VPNTEST ~]# sestatus SELinux status: disabled [host@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination *Client config and status* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any #right=192.168.10.40 right=182.156.253.59 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 22 minutes, since Feb 21 14:31:43 2018 malloc: sbrk 196608, mmap 0, used 157560, free 39048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-s
Re: [strongSwan] ssh and http through IPSec
Hi Christopher, Thanks for the response. I want to access the CentOS IPSec server which is the having tunneling enable from other system through SSH. In the mean time other OpenWRT client should also be able cur/wget through the tunnel. Both SSH and http fails while tunnel is established. Tried with the following but doesn't works. https://wiki.strongswan.org/issues/2351 https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan Thanks Sujoy On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote: Hi Sujoy, Do you route all traffic through the ipsec tunnel at the moment? Or is your goal to access the CentOS sever through ipsec? Cheers, Christopher On Mar 5, 2018 07:05, Sujoy wrote: Hi Jafar, I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan. Thanks Sujoy On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: Sujoy, You have to send me the logs from both ends. It is hard to know what is the problem with no logs. --Jafar On 2/21/2018 8:58 AM, Sujoy wrote: Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available. *Server Config* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any right=%any ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" [host@VPNTEST ~]# firewall-cmd --list-all FirewallD is not running [host@VPNTEST ~]# sestatus SELinux status: disabled [host@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination *Client config and status* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any #right=192.168.10.40 right=182.156.253.59 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 22 minutes, since Feb 21 14:31:43 2018 malloc: sbrk 196608, mmap 0, used 157560, free 39048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 22 minutes ag
Re: [strongSwan] ssh and http through IPSec
Hi Sujoy,Do you route all traffic through the ipsec tunnel at the moment?Or is your goal to access the CentOS sever through ipsec?Cheers,ChristopherOn Mar 5, 2018 07:05, Sujoy wrote: Hi Jafar, I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan. Thanks Sujoy On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: Sujoy, You have to send me the logs from both ends. It is hard to know what is the problem with no logs. --Jafar On 2/21/2018 8:58 AM, Sujoy wrote: Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available. Server Config config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any right=%any ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" [host@VPNTEST ~]# firewall-cmd --list-all FirewallD is not running [host@VPNTEST ~]# sestatus SELinux status: disabled [host@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Client config and status config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any #right=192.168.10.40 right=182.156.253.59 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXX" root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 22 minutes, since Feb 21 14:31:43 2018 malloc: sbrk 196608, mmap 0, used 157560, free 39048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 22 minutes ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X] tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i* a8c47adc292f6d3f_r, pre-shared key reauthentication in 2 hours tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_20
