Hi, Don't answer existing threads if you want to talk about new things. Send a completely new mail to the list, otherwise you get shit like this with different topics under a single thread and that makes it unnecessarily difficult and ugly to handle in mail clients. Take a look at the article about help requests[1]. I'm sure you can figure it out by yourself (hint: It's likely your rules in *nat).
Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests On 07.03.2018 12:50, Sujoy wrote: > > Hi Jafar, > > I am not getting any output during "*ip route list table 220*" the tunnel is > established. And it is not allowing any type of traffic any idea what should > be the issue. > > > [root@VPNTEST ~]# ipsec statusall > Status of IKE charon daemon (strongSwan 5.3.3, Linux > 3.10.0-693.11.6.el7.x86_64, x86_64): > uptime: 8 minutes, since Mar 07 17:00:51 2018 > malloc: sbrk 2568192, mmap 0, used 403312, free 2164880 > worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, > scheduled: 3 > loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 > revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem > openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve > socket-default stroke updown xauth-generic > Listening IP addresses: > 172.25.1.23 > Connections: > tunnel: %any...%any IKEv2, dpddelay=30s > tunnel: local: uses pre-shared key authentication > tunnel: remote: uses pre-shared key authentication > tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart > Security Associations (1 up, 0 connecting): > tunnel[2]: ESTABLISHED 27 seconds ago, > 172.25.1.23[X.X.X.X]...106.216.163.71[192.168.10.40] > tunnel[2]: IKEv2 SPIs: f8417e08c414c0ee_i a86999948d0d206c_r*, rekeying > disabled > tunnel[2]: IKE proposal: > AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 > tunnel{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c06d3ac1_i > cd4c518b_o > tunnel{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying > disabled > tunnel{3}: X.X.X.X/32 === 192.168.10.40/32 > [root@VPNTEST ~]# > [root@VPNTEST ~]# > [root@VPNTEST ~]# ip route list table 220 > [root@VPNTEST ~]# > > > [root@VPNTEST ~]# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT udp -- anywhere anywhere udp dpt:isakmp > ACCEPT udp -- anywhere anywhere udp > dpt:ipsec-nat-t > ACCEPT esp -- anywhere anywhere > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > [root@VPNTEST ~]# > > > > Thanks > > On Tuesday 06 March 2018 10:46 AM, Sujoy wrote: >> Hi Jafar, >> >> Thanks for the information. The ping is stopped as soon as the tunnel is >> established to the right IP of the client. I cannot ping/ssh/http(wget/curl) >> to the IPsec VPN server. It is the same IP address where the tunnel >> terminates. >> >> >> Server configuration >> >> config setup >> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" >> strictcrlpolicy=no >> uniqueids=no >> conn %default >> conn tunnel # >> left=%any >> leftsubnet=0.0.0.0/0 >> right=%any >> rightsubnet=0.0.0.0/0 >> ike=aes256-sha1-modp2048 >> esp=aes256-sha1 >> keyingtries=1 >> keylife=20 >> dpddelay=30s >> dpdtimeout=150s >> dpdaction=restart >> authby=psk >> auto=start >> keyexchange=ikev2 >> type=tunnel >> mobike=no >> >> Client output >> >> root@Device_BD2009:~# ipsec statusall >> no files found matching '/etc/strongswan.d/*.conf' >> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): >> uptime: 25 seconds, since Mar 06 13:00:41 2018 >> malloc: sbrk 196608, mmap 0, used 163488, free 33120 >> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, >> scheduled: 17 >> loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 >> revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem >> openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve >> socket-default stroke updown eap-identity eap-md5 xauth-generic >> Listening IP addresses: >> 192.168.20.100 >> 192.168.10.1 >> fd70:5f2:3744::1 >> Connections: >> tunnel: %any...X.X.X.X IKEv2, dpddelay=30s >> tunnel: local: uses pre-shared key authentication >> tunnel: remote: [X.X.X.X] uses pre-shared key authentication >> tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart >> Security Associations (1 up, 0 connecting): >> tunnel[1]: ESTABLISHED 23 seconds ago, >> 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X] >> tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r, >> pre-shared key reauthentication in 2 hours >> tunnel[1]: IKE proposal: >> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 >> tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c25c0775_i >> c559455b_o >> tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1 pkt, >> 0s ago), rekeying active >> tunnel{21}: 192.168.20.100/32 === X.X.X.X/32 >> >> >> Thanks >> >> On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote: >>> Hi Sujoy, >>> >>> Can you ping the the server's IP address that you want to ssh to ? >>> Is that the same IP address where the tunnel terminates: the "right" >>> address on the client side ? >>> >>> --Jafar >>> >>> >>> On 3/5/2018 12:31 AM, Sujoy wrote: >>>> Hi Christopher, >>>> >>>> >>>> Thanks for the response. I want to access the CentOS IPSec server which >>>> is the having tunneling enable from other system through SSH. >>>> In the mean time other OpenWRT client should also be able cur/wget through >>>> the tunnel. Both SSH and http fails while tunnel is established. >>>> >>>> >>>> Tried with the following but doesn't works. >>>> https://wiki.strongswan.org/issues/2351 >>>> https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan >>>> >>>> >>>> Thanks >>>> Sujoy >>>> >>>> >>>> On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote: >>>>> Hi Sujoy, >>>>> >>>>> Do you route all traffic through the ipsec tunnel at the moment? >>>>> >>>>> Or is your goal to access the CentOS sever through ipsec? >>>>> >>>>> Cheers, >>>>> >>>>> Christopher >>>>> >>>>> On Mar 5, 2018 07:05, Sujoy <[email protected]> wrote: >>>>> >>>>> Hi Jafar, >>>>> >>>>> I have successfully establish connection with tunneling between >>>>> OpenWRT client and CentOS as StrongSwan server. Now I am facing one >>>>> issue. How to enable ssh and http through IPSec tunnel in StrongSwan. >>>>> >>>>> >>>>> >>>>> Thanks >>>>> Sujoy >>>>> >>>>> On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: >>>>> >>>>> Sujoy, >>>>> >>>>> You have to send me the logs from both ends. It is hard to know >>>>> what is the problem with no logs. >>>>> >>>>> --Jafar >>>>> >>>>> On 2/21/2018 8:58 AM, Sujoy wrote: >>>>> >>>>> Thanks Jafar, for giving this information. Please let me know >>>>> if anything else is required. The client OS is Openwrt, so no logs are >>>>> available. >>>>> >>>>> >>>>> *Server Config* >>>>> >>>>> config setup >>>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn >>>>> 3, cfg 3, knl 3" >>>>> strictcrlpolicy=no >>>>> uniqueids=no >>>>> conn %default >>>>> conn tunnel # >>>>> left=%any >>>>> right=%any >>>>> ike=aes256-sha1-modp2048 >>>>> esp=aes256-sha1 >>>>> keyingtries=1 >>>>> keylife=20 >>>>> dpddelay=30s >>>>> dpdtimeout=150s >>>>> dpdaction=restart >>>>> authby=psk >>>>> auto=start >>>>> keyexchange=ikev2 >>>>> type=tunnel >>>>> >>>>> # /etc/ipsec.secrets - strongSwan IPsec secrets file >>>>> : PSK "XXXXXXX" >>>>> >>>>> >>>>> >>>>> [host@VPNTEST ~]# firewall-cmd --list-all >>>>> FirewallD is not running >>>>> [host@VPNTEST ~]# sestatus >>>>> SELinux status: disabled >>>>> [host@VPNTEST ~]# iptables -L >>>>> Chain INPUT (policy ACCEPT) >>>>> target prot opt source destination >>>>> >>>>> Chain FORWARD (policy ACCEPT) >>>>> target prot opt source destination >>>>> >>>>> Chain OUTPUT (policy ACCEPT) >>>>> target prot opt source destination >>>>> >>>>> >>>>> >>>>> *Client config and status* >>>>> >>>>> config setup >>>>> >>>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn >>>>> 3, cfg 3, knl 3" >>>>> strictcrlpolicy=no >>>>> uniqueids=no >>>>> conn %default >>>>> conn tunnel # >>>>> left=%any >>>>> #right=192.168.10.40 >>>>> right=182.156.253.59 >>>>> ike=aes256-sha1-modp2048 >>>>> esp=aes256-sha1 >>>>> keyingtries=1 >>>>> keylife=20 >>>>> dpddelay=30s >>>>> dpdtimeout=150s >>>>> dpdaction=restart >>>>> authby=psk >>>>> auto=start >>>>> keyexchange=ikev2 >>>>> type=tunnel >>>>> >>>>> # /etc/ipsec.secrets - strongSwan IPsec secrets file >>>>> : PSK "XXXXXXX" >>>>> >>>>> >>>>> root@Device_BD2009:~# ipsec statusall >>>>> no files found matching '/etc/strongswan.d/*.conf' >>>>> Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, >>>>> mips): >>>>> uptime: 22 minutes, since Feb 21 14:31:43 2018 >>>>> malloc: sbrk 196608, mmap 0, used 157560, free 39048 >>>>> worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: >>>>> 0/0/0/0, scheduled: 5 >>>>> loaded plugins: charon aes des rc2 sha1 sha2 md5 random >>>>> nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp >>>>> dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr >>>>> kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 >>>>> xauth-generic >>>>> Listening IP addresses: >>>>> 192.168.20.100 >>>>> 192.168.10.1 >>>>> fd70:5f2:3744::1 >>>>> Connections: >>>>> tunnel: %any...X.X.X.X IKEv2, dpddelay=30s >>>>> tunnel: local: uses pre-shared key authentication >>>>> tunnel: remote: [X.X.X.X] uses pre-shared key >>>>> authentication >>>>> tunnel: child: dynamic === dynamic TUNNEL, >>>>> dpdaction=restart >>>>> Security Associations (1 up, 0 connecting): >>>>> tunnel[1]: ESTABLISHED 22 minutes ago, >>>>> 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X] >>>>> tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i* >>>>> a8c47adc292f6d3f_r, pre-shared key reauthentication in 2 hours >>>>> tunnel[1]: IKE proposal: >>>>> AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 >>>>> >>>>> >>>>> >>>>> On Tuesday 20 February 2018 09:20 PM, Jafar Al-Gharaibeh >>>>> wrote: >>>>> >>>>> Sujoy, >>>>> >>>>> It is really hard to help you if don't give us full >>>>> information only sending us one picture at a time. Please use test files, >>>>> they are easier to navigate than screen shots. Your last question below >>>>> is a repeat to a question that I answered before. If you want proper >>>>> diagnose of the problem please send the configuration files,logs, routing >>>>> table at both ends. see 8 at: >>>>> >>>>> >>>>> https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests >>>>> >>>>> Make sure to increase the debug level in your ipsec.conf >>>>> files at both ends, something like: >>>>> >>>>> config setup >>>>> charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, >>>>> dmn 3, cfg 3, knl 3" >>>>> >>>>> >>>>> Regards, >>>>> Jafar >>>>> >>>>> >>>>> On 2/20/2018 8:00 AM, Sujoy wrote: >>>>> >>>>> Hi Jafar, >>>>> >>>>> I am able to establish tunnel when I try to connect >>>>> from LAN IP. But with same configuration(Firewall setting) and same OS >>>>> version it failed to establish tunnel with *nated public IP*. >>>>> >>>>> What means parsed "failed to establish CHILD_SA, >>>>> keeping IKE_SA". Please let me know if you have any idea regarding this >>>>> issue. >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>> >> >
signature.asc
Description: OpenPGP digital signature
