Hi Jafar,

I am not getting any output during "*ip route list table 220*" the tunnel is established. And it is not allowing any type of traffic any idea what should be the issue.


[root@VPNTEST ~]# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.0-693.11.6.el7.x86_64, x86_64):
  uptime: 8 minutes, since Mar 07 17:00:51 2018
  malloc: sbrk 2568192, mmap 0, used 403312, free 2164880
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
  172.25.1.23
Connections:
      tunnel:  %any...%any  IKEv2, dpddelay=30s
      tunnel:   local:  uses pre-shared key authentication
      tunnel:   remote: uses pre-shared key authentication
      tunnel:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
      tunnel[2]: ESTABLISHED 27 seconds ago, 172.25.1.23[X.X.X.X]...106.216.163.71[192.168.10.40]       tunnel[2]: IKEv2 SPIs: f8417e08c414c0ee_i a86999948d0d206c_r*, rekeying disabled       tunnel[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048       tunnel{3}:  INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c06d3ac1_i cd4c518b_o       tunnel{3}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
      tunnel{3}:   X.X.X.X/32 === 192.168.10.40/32
[root@VPNTEST ~]#
[root@VPNTEST ~]#
[root@VPNTEST ~]# ip route list table 220
[root@VPNTEST ~]#


[root@VPNTEST ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t
ACCEPT     esp  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@VPNTEST ~]#



Thanks

On Tuesday 06 March 2018 10:46 AM, Sujoy wrote:
Hi Jafar,

  Thanks for the information. The ping is stopped as soon as the tunnel is established to the right IP of the client. I cannot ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP address where the tunnel terminates.


Server configuration

config setup
        charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3"
        strictcrlpolicy=no
        uniqueids=no
conn %default
conn tunnel #
       left=%any
       leftsubnet=0.0.0.0/0
       right=%any
       rightsubnet=0.0.0.0/0
       ike=aes256-sha1-modp2048
       esp=aes256-sha1
       keyingtries=1
       keylife=20
       dpddelay=30s
       dpdtimeout=150s
       dpdaction=restart
       authby=psk
       auto=start
       keyexchange=ikev2
       type=tunnel
       mobike=no

Client output

root@Device_BD2009:~# ipsec statusall
no files found matching '/etc/strongswan.d/*.conf'
Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips):
  uptime: 25 seconds, since Mar 06 13:00:41 2018
  malloc: sbrk 196608, mmap 0, used 163488, free 33120
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 17   loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic
Listening IP addresses:
  192.168.20.100
  192.168.10.1
  fd70:5f2:3744::1
Connections:
      tunnel:  %any...X.X.X.X  IKEv2, dpddelay=30s
      tunnel:   local:  uses pre-shared key authentication
      tunnel:   remote: [X.X.X.X] uses pre-shared key authentication
      tunnel:   child:  dynamic === X.X.X.X/X TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
      tunnel[1]: ESTABLISHED 23 seconds ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]       tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r, pre-shared key reauthentication in 2 hours       tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048       tunnel{21}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c25c0775_i c559455b_o       tunnel{21}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1 pkt, 0s ago), rekeying active
      tunnel{21}:   192.168.20.100/32 === X.X.X.X/32


Thanks

On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote:
Hi Sujoy,

  Can you ping the the server's IP address that you want to ssh to ?
  Is that the same IP address where the tunnel terminates: the "right" address on the client side ?

--Jafar


On 3/5/2018 12:31 AM, Sujoy wrote:
Hi Christopher,


 Thanks for the response. I want to access the CentOS IPSec server which is the having tunneling enable from other system through SSH. In the mean time other OpenWRT client should also be able cur/wget through the tunnel. Both SSH and http fails while tunnel is established.


Tried with the following but doesn't works.
https://wiki.strongswan.org/issues/2351
https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan


Thanks
Sujoy


On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote:
Hi Sujoy,

Do you route all traffic through the ipsec tunnel at the moment?

Or is your goal to access the CentOS sever through ipsec?

Cheers,

Christopher

On Mar 5, 2018 07:05, Sujoy <sujo...@mindlogicx.com> wrote:

    Hi Jafar,

     I have successfully establish connection with tunneling
    between OpenWRT client and CentOS as StrongSwan server. Now I
    am facing one issue. How to enable ssh and http through IPSec
    tunnel in StrongSwan.



    Thanks
    Sujoy

    On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote:

        Sujoy,

        You have to send me the logs from both ends. It is hard to
        know what is the problem with no logs.

        --Jafar

        On 2/21/2018 8:58 AM, Sujoy wrote:

            Thanks Jafar, for giving this information. Please let
            me know if anything else is required. The client OS is
            Openwrt, so no logs are available.


            *Server Config*

            config setup
                    charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
            dmn 3, cfg 3, knl 3"
                    strictcrlpolicy=no
                    uniqueids=no
            conn %default
            conn tunnel #
                   left=%any
                   right=%any
                   ike=aes256-sha1-modp2048
                   esp=aes256-sha1
                   keyingtries=1
                   keylife=20
                   dpddelay=30s
                   dpdtimeout=150s
                   dpdaction=restart
                   authby=psk
                   auto=start
                   keyexchange=ikev2
                   type=tunnel

            # /etc/ipsec.secrets - strongSwan IPsec secrets file
            : PSK "XXXXXXX"



               [host@VPNTEST ~]# firewall-cmd --list-all
            FirewallD is not running
            [host@VPNTEST ~]# sestatus
            SELinux status:                 disabled
            [host@VPNTEST ~]# iptables -L
            Chain INPUT (policy ACCEPT)
            target     prot opt source destination

            Chain FORWARD (policy ACCEPT)
            target     prot opt source destination

            Chain OUTPUT (policy ACCEPT)
            target     prot opt source destination



            *Client config and status*

                    config setup

                    charondebug="ike 3, net 3, mgr 3, esp 3, chd 3,
            dmn 3, cfg 3, knl 3"
                    strictcrlpolicy=no
                    uniqueids=no
            conn %default
            conn tunnel #
                   left=%any
                   #right=192.168.10.40
                   right=182.156.253.59
                   ike=aes256-sha1-modp2048
                   esp=aes256-sha1
                   keyingtries=1
                   keylife=20
                   dpddelay=30s
                   dpdtimeout=150s
                   dpdaction=restart
                   authby=psk
                   auto=start
                   keyexchange=ikev2
                   type=tunnel

            # /etc/ipsec.secrets - strongSwan IPsec secrets file
            : PSK "XXXXXXX"


            root@Device_BD2009:~# ipsec statusall
            no files found matching '/etc/strongswan.d/*.conf'
            Status of IKE charon daemon (strongSwan 5.3.3, Linux
            3.10.49, mips):
              uptime: 22 minutes, since Feb 21 14:31:43 2018
              malloc: sbrk 196608, mmap 0, used 157560, free 39048
              worker threads: 11 of 16 idle, 5/0/0/0 working, job
            queue: 0/0/0/0, scheduled: 5
              loaded plugins: charon aes des rc2 sha1 sha2 md5
            random nonce x509 revocation constraints pubkey pkcs1
            pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl
            fips-prf gmp xcbc cmac hmac curl attr kernel-netlink
            resolve socket-default stroke updown eap-identity
            eap-md5 xauth-generic
            Listening IP addresses:
              192.168.20.100
              192.168.10.1
              fd70:5f2:3744::1
            Connections:
                  tunnel:  %any...X.X.X.X  IKEv2, dpddelay=30s
                  tunnel:   local:  uses pre-shared key authentication
                  tunnel:   remote: [X.X.X.X] uses pre-shared key
            authentication
                  tunnel:   child:  dynamic === dynamic TUNNEL,
            dpdaction=restart
            Security Associations (1 up, 0 connecting):
                  tunnel[1]: ESTABLISHED 22 minutes ago,
            192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X]
                  tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i*
            a8c47adc292f6d3f_r, pre-shared key reauthentication in
            2 hours
                  tunnel[1]: IKE proposal:
            AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048



            On Tuesday 20 February 2018 09:20 PM, Jafar
            Al-Gharaibeh wrote:

                Sujoy,

                   It is really hard to help you if don't give us
                full information only sending us one picture at a
                time. Please use test files, they are easier to
                navigate than screen shots. Your last question
                below is a repeat to a question that I answered
                before.  If you want proper diagnose of the problem
                please send the configuration files,logs, routing
                table at both ends. see 8 at:

                
https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests

                Make sure to increase the debug level in your
                ipsec.conf files at both ends, something like:

                config setup
                       charondebug="ike 3, net 3, mgr 3, esp 3, chd
                3, dmn 3, cfg 3, knl 3"


                Regards,
                Jafar


                On 2/20/2018 8:00 AM, Sujoy wrote:

                    Hi Jafar,

                    I am able to establish tunnel when I try to
                    connect from LAN IP. But with same
                    configuration(Firewall setting) and same OS
                    version it failed to establish tunnel with
                    *nated public IP*.

                    What means parsed "failed to establish
                    CHILD_SA, keeping IKE_SA". Please let me know
                    if you have any idea regarding this issue.










Reply via email to