Hi Christopher,
Thanks for the response. I want to access the CentOS IPSec server which is the having tunneling enable from other system through SSH. In the mean time other OpenWRT client should also be able cur/wget through the tunnel. Both SSH and http fails while tunnel is established.
Tried with the following but doesn't works. https://wiki.strongswan.org/issues/2351 https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan Thanks Sujoy On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote:
Hi Sujoy, Do you route all traffic through the ipsec tunnel at the moment? Or is your goal to access the CentOS sever through ipsec? Cheers, Christopher On Mar 5, 2018 07:05, Sujoy <[email protected]> wrote: Hi Jafar, I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan. Thanks Sujoy On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: Sujoy, You have to send me the logs from both ends. It is hard to know what is the problem with no logs. --Jafar On 2/21/2018 8:58 AM, Sujoy wrote: Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available. *Server Config* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any right=%any ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXXXXXX" [host@VPNTEST ~]# firewall-cmd --list-all FirewallD is not running [host@VPNTEST ~]# sestatus SELinux status: disabled [host@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination *Client config and status* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any #right=192.168.10.40 right=182.156.253.59 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXXXXXX" root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 22 minutes, since Feb 21 14:31:43 2018 malloc: sbrk 196608, mmap 0, used 157560, free 39048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 22 minutes ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X] tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i* a8c47adc292f6d3f_r, pre-shared key reauthentication in 2 hours tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 On Tuesday 20 February 2018 09:20 PM, Jafar Al-Gharaibeh wrote: Sujoy, It is really hard to help you if don't give us full information only sending us one picture at a time. Please use test files, they are easier to navigate than screen shots. Your last question below is a repeat to a question that I answered before. If you want proper diagnose of the problem please send the configuration files,logs, routing table at both ends. see 8 at: https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests Make sure to increase the debug level in your ipsec.conf files at both ends, something like: config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" Regards, Jafar On 2/20/2018 8:00 AM, Sujoy wrote: Hi Jafar, I am able to establish tunnel when I try to connect from LAN IP. But with same configuration(Firewall setting) and same OS version it failed to establish tunnel with *nated public IP*. What means parsed "failed to establish CHILD_SA, keeping IKE_SA". Please let me know if you have any idea regarding this issue.
