Re: [strongSwan] road worrior IP - can it also be used by services/daemons to listen onto?

Fri, 10 Nov 2017 07:21:06 -0800 


On 10/11/17 14:34, Dirk Hartmann wrote:

Hi,  > > --On Friday, November 10, 2017 02:21:09 PM +0000 

lejeczek > <[email protected]> wrote: > >> I've a working 
roadwarrior which links up to a server(not mine, >> meaning 
- no control over it) and I wonder - can that IP my >> 
roadworrior gets other things use? >> >> From that 
other(server) end, the network behind the server sees >> 
that IP my roadworrior gets, can ping it but, how to make, 
eg. >> apache etc, use and serve on that IP? If I do nmap 
from server's >> net on my roadwarrior IP it says port is 
closed. >> >> Is it something I can do at my end? Which 
would be great if >> possible. > > without a firewall either 
on your RW or on the Gateway side there is > no reason you 
should not be able to reach any port on your RW. > > The 
question is, does your service bind itself to your RW-IP. > 
> What does netstat report for your apache? > > netstat 
-tulpn | grep apache > > Mostly you configure apache in 
/etc/apache2/ports.conf on which IPs > it should listen or 
if it should listen on all IPs. > > Some services don't bind 
to interfaces added after the service > startet, so maybe 
you have to restart it after the VPN connection is > up. > > 
> Dirk
Apache listens on all port, and I did restart it, same for 
sshd. Nmap from behind the gateway says ports are closed, 
but not filtered.



My RW is on a box which is my local gateway-to-internet, the 
interface/connection strongswan creates when connects to VPN 
gateway I put(with use of firewalld) into my external zone, 
so it gets masqueraded so other nodes on my local LAN can 
get to VPN via my RW - but I do not see this affects 
firewall, etc, ports that are opened in exteranal zone(nic 
with public IP and RW) asĀ  nmap says are not filtered.
I nmap my public IP and is "open" I nmap my RW-IP and is 
"closed".



It all runs off a fedora26, I have 
strongswan-libipsec-5.6.0-1.fc26.x86_64 installed - I 
understand with it I get ipsec0 interface autocreation which 
then I can manage with "regular" OS utils, eg. firewalld - I 
thought it was the laziest/quickest way out.



I did think that RW-NIC-IP would be just operational, 
manageable as any other iface in the OS, but it seems some 
sorcerery is needed, or maybe something trivial?


many thanks, L.






















					Reply via email to