Hi Jafar,
I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan.
Thanks
Sujoy
On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote:
Sujoy,
You have to send me the logs from both ends. It is hard to know what is the problem with no logs.
--Jafar
On 2/21/2018 8:58 AM, Sujoy wrote:
Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available.
Server Config
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3"
strictcrlpolicy=no
uniqueids=no
conn %default
conn tunnel #
left=%any
right=%any
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=20
dpddelay=30s
dpdtimeout=150s
dpdaction=restart
authby=psk
auto=start
keyexchange=ikev2
type=tunnel
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: PSK "XXXXXXX"
[host@VPNTEST ~]# firewall-cmd --list-all
FirewallD is not running
[host@VPNTEST ~]# sestatus
SELinux status: disabled
[host@VPNTEST ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Client config and status
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3"
strictcrlpolicy=no
uniqueids=no
conn %default
conn tunnel #
left=%any
#right=192.168.10.40
right=182.156.253.59
ike=aes256-sha1-modp2048
esp=aes256-sha1
keyingtries=1
keylife=20
dpddelay=30s
dpdtimeout=150s
dpdaction=restart
authby=psk
auto=start
keyexchange=ikev2
type=tunnel
# /etc/ipsec.secrets - strongSwan IPsec secrets file
: PSK "XXXXXXX"
root@Device_BD2009:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
uptime: 22 minutes, since Feb 21 14:31:43 2018
malloc: sbrk 196608, mmap 0, used 157560, free 39048
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic
Listening IP addresses:
192.168.20.100
192.168.10.1
fd70:5f2:3744::1
Connections:
tunnel: %any...X.X.X.X IKEv2, dpddelay=30s
tunnel: local: uses pre-shared key authentication
tunnel: remote: [X.X.X.X] uses pre-shared key authentication
tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
tunnel[1]: ESTABLISHED 22 minutes ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i* a8c47adc292f6d3f_r, pre-shared key reauthentication in 2 hours
tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
On Tuesday 20 February 2018 09:20 PM, Jafar Al-Gharaibeh wrote:
Sujoy,
It is really hard to help you if don't give us full information only sending us one picture at a time. Please use test files, they are easier to navigate than screen shots. Your last question below is a repeat to a question that I answered before. If you want proper diagnose of the problem please send the configuration files,logs, routing table at both ends. see 8 at:
https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests
Make sure to increase the debug level in your ipsec.conf files at both ends, something like:
config setup
charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3"
Regards,
Jafar
On 2/20/2018 8:00 AM, Sujoy wrote:
Hi Jafar,
I am able to establish tunnel when I try to connect from LAN IP. But with same configuration(Firewall setting) and same OS version it failed to establish tunnel with nated public IP.
What means parsed "failed to establish CHILD_SA, keeping IKE_SA". Please let me know if you have any idea regarding this issue.
Hi Sujoy,
Do you route all traffic through the ipsec tunnel at the moment?
Or is your goal to access the CentOS sever through ipsec?
Cheers,
Christopher
On Mar 5, 2018 07:05, Sujoy <[email protected]> wrote:
- Re: [strongSwan] received TS_UNACCEPTABLE notify, no C... Jafar Al-Gharaibeh
- Re: [strongSwan] received TS_UNACCEPTABLE notify, no C... Sujoy
- Re: [strongSwan] received TS_UNACCEPTABLE notify, no C... Jafar Al-Gharaibeh
- Re: [strongSwan] received TS_UNACCEPTABLE notify, no C... Sujoy
- Re: [strongSwan] received TS_UNACCEPTABLE notify, no C... Sujoy
- Re: [strongSwan] received TS_UNACCEPTABLE notify, no C... Jafar Al-Gharaibeh
- Re: [strongSwan] received TS_UNACCEPTABLE notify, no C... Jafar Al-Gharaibeh
- Re: [strongSwan] parsed CREATE_CHILD_SA response 2 [ N... Jafar Al-Gharaibeh
- Re: [strongSwan] parsed CREATE_CHILD_SA response 2 [ N... Sujoy
- [strongSwan] ssh and http through IPSec Sujoy
- Re: [strongSwan] ssh and http through IPSec Christopher Bachner
- Re: [strongSwan] ssh and http through IPSec Sujoy
- Re: [strongSwan] ssh and http through IPSec Jafar Al-Gharaibeh
- Re: [strongSwan] ssh and http through IPSec Sujoy
- Re: [strongSwan] ssh and http through IPSec Sujoy
- Re: [strongSwan] ssh and http through IPSec Noel Kuntze
- Re: [strongSwan] ssh and http through IPSec Sujoy
