Hi Noel,I do appreciate your view, cannot able to pass traffic over the tunnel after following the Forwarding and Split Tunneling links. Tryied by enable kernel-libipsec plugin also. Struggling with this issue for more than a month now.
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunnelingBelow are the iptables and strongswan configuration details. Thanks for the help.
root@mlxvpn:~# ifconfig enp3s0 Link encap:Ethernet HWaddr 00:25:ab:98:12:d5 inet addr:172.25.1.23 Bcast:172.25.255.255 Mask:255.255.0.0 inet6 addr: fe80::c4eb:7e0f:2470:c1d2/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:281997 errors:0 dropped:1 overruns:0 frame:0 TX packets:22052 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:29640846 (29.6 MB) TX bytes:3714848 (3.7 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:225 errors:0 dropped:0 overruns:0 frame:0 TX packets:225 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:16397 (16.3 KB) TX bytes:16397 (16.3 KB) root@mlxvpn:~# root@mlxvpn:~# ipsec statusallStatus of IKE charon daemon (strongSwan 5.6.2, Linux 4.4.0-116-generic, x86_64):
uptime: 3 hours, since Mar 09 13:29:26 2018 malloc: sbrk 2703360, mmap 0, used 553856, free 2149504worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon aes des rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke vici updown xauth-generic counters
Listening IP addresses: 172.25.1.23 Connections: tunnel: %any...%any IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: uses pre-shared key authentication tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=clear Security Associations (1 up, 0 connecting):tunnel[3]: ESTABLISHED 109 minutes ago, 172.25.1.23[10.0.0.1]...223.227.38.50[192.168.1.40] tunnel[3]: IKEv2 SPIs: 50985f5c83600bca_i 15196cba95370f18_r*, pre-shared key reauthentication in 61 minutes tunnel[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{5}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c4116d05_i c29b66f5_o tunnel{5}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 20 minutes
tunnel{5}: 10.0.0.1/32 === 192.168.1.40/32
root@mlxvpn:~#
root@mlxvpn:~# iptables-save
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018
*nat
:PREROUTING ACCEPT [41820:3021162]
:INPUT ACCEPT [6196:914229]
:OUTPUT ACCEPT [16:1536]
:POSTROUTING ACCEPT [16:1536]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
COMMIT
# Completed on Fri Mar 9 17:17:25 2018
# Generated by iptables-save v1.6.0 on Fri Mar 9 17:17:25 2018
*mangle
:PREROUTING ACCEPT [90325:7771073]
:INPUT ACCEPT [54531:5654040]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [10356:1527995]
:POSTROUTING ACCEPT [10360:1528611]
-A FORWARD -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags
SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
-A FORWARD -p tcp -m policy --dir out --pol ipsec -m tcp --tcp-flags
SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT # Completed on Fri Mar 9 17:17:25 2018 root@mlxvpn:~# root@mlxvpn:~# ip route list table 220 root@mlxvpn:~# Thanks On Thursday 08 March 2018 04:07 PM, Noel Kuntze wrote:
Hi, Don't answer existing threads if you want to talk about new things. Send a completely new mail to the list, otherwise you get shit like this with different topics under a single thread and that makes it unnecessarily difficult and ugly to handle in mail clients. Take a look at the article about help requests[1]. I'm sure you can figure it out by yourself (hint: It's likely your rules in *nat). Kind regards Noel [1] https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests On 07.03.2018 12:50, Sujoy wrote:Hi Jafar, I am not getting any output during "*ip route list table 220*" the tunnel is established. And it is not allowing any type of traffic any idea what should be the issue. [root@VPNTEST ~]# ipsec statusall Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.0-693.11.6.el7.x86_64, x86_64): uptime: 8 minutes, since Mar 07 17:00:51 2018 malloc: sbrk 2568192, mmap 0, used 403312, free 2164880 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown xauth-generic Listening IP addresses: 172.25.1.23 Connections: tunnel: %any...%any IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: uses pre-shared key authentication tunnel: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[2]: ESTABLISHED 27 seconds ago, 172.25.1.23[X.X.X.X]...106.216.163.71[192.168.10.40] tunnel[2]: IKEv2 SPIs: f8417e08c414c0ee_i a86999948d0d206c_r*, rekeying disabled tunnel[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{3}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: c06d3ac1_i cd4c518b_o tunnel{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled tunnel{3}: X.X.X.X/32 === 192.168.10.40/32 [root@VPNTEST ~]# [root@VPNTEST ~]# [root@VPNTEST ~]# ip route list table 220 [root@VPNTEST ~]# [root@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:isakmp ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t ACCEPT esp -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination [root@VPNTEST ~]# Thanks On Tuesday 06 March 2018 10:46 AM, Sujoy wrote:Hi Jafar, Thanks for the information. The ping is stopped as soon as the tunnel is established to the right IP of the client. I cannot ping/ssh/http(wget/curl) to the IPsec VPN server. It is the same IP address where the tunnel terminates. Server configuration config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any leftsubnet=0.0.0.0/0 right=%any rightsubnet=0.0.0.0/0 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel mobike=no Client output root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 25 seconds, since Mar 06 13:00:41 2018 malloc: sbrk 196608, mmap 0, used 163488, free 33120 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 17 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === X.X.X.X/X TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 23 seconds ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X] tunnel[1]: IKEv2 SPIs: 221d0271a9235270_i* 485e938bf49b2110_r, pre-shared key reauthentication in 2 hours tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 tunnel{21}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c25c0775_i c559455b_o tunnel{21}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 84 bytes_o (1 pkt, 0s ago), rekeying active tunnel{21}: 192.168.20.100/32 === X.X.X.X/32 Thanks On Monday 05 March 2018 09:58 PM, Jafar Al-Gharaibeh wrote:Hi Sujoy, Can you ping the the server's IP address that you want to ssh to ? Is that the same IP address where the tunnel terminates: the "right" address on the client side ? --JafarOn 3/5/2018 12:31 AM, Sujoy wrote:Hi Christopher, Thanks for the response. I want to access the CentOS IPSec server which is the having tunneling enable from other system through SSH. In the mean time other OpenWRT client should also be able cur/wget through the tunnel. Both SSH and http fails while tunnel is established. Tried with the following but doesn't works. https://wiki.strongswan.org/issues/2351 https://serverfault.com/questions/601143/ssh-not-working-over-ipsec-tunnel-strongswan Thanks Sujoy On Monday 05 March 2018 11:46 AM, Christopher Bachner wrote:Hi Sujoy, Do you route all traffic through the ipsec tunnel at the moment? Or is your goal to access the CentOS sever through ipsec? Cheers, Christopher On Mar 5, 2018 07:05, Sujoy <[email protected]> wrote: Hi Jafar, I have successfully establish connection with tunneling between OpenWRT client and CentOS as StrongSwan server. Now I am facing one issue. How to enable ssh and http through IPSec tunnel in StrongSwan. Thanks Sujoy On Friday 23 February 2018 09:05 PM, Jafar Al-Gharaibeh wrote: Sujoy, You have to send me the logs from both ends. It is hard to know what is the problem with no logs. --Jafar On 2/21/2018 8:58 AM, Sujoy wrote: Thanks Jafar, for giving this information. Please let me know if anything else is required. The client OS is Openwrt, so no logs are available. *Server Config* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any right=%any ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXXXXXX" [host@VPNTEST ~]# firewall-cmd --list-all FirewallD is not running [host@VPNTEST ~]# sestatus SELinux status: disabled [host@VPNTEST ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination *Client config and status* config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" strictcrlpolicy=no uniqueids=no conn %default conn tunnel # left=%any #right=192.168.10.40 right=182.156.253.59 ike=aes256-sha1-modp2048 esp=aes256-sha1 keyingtries=1 keylife=20 dpddelay=30s dpdtimeout=150s dpdaction=restart authby=psk auto=start keyexchange=ikev2 type=tunnel # /etc/ipsec.secrets - strongSwan IPsec secrets file : PSK "XXXXXXX"root@Device_BD2009:~# ipsec statusall no files found matching '/etc/strongswan.d/*.conf' Status of IKE charon daemon (strongSwan 5.3.3, Linux 3.10.49, mips): uptime: 22 minutes, since Feb 21 14:31:43 2018 malloc: sbrk 196608, mmap 0, used 157560, free 39048 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5 loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp xcbc cmac hmac curl attr kernel-netlink resolve socket-default stroke updown eap-identity eap-md5 xauth-generic Listening IP addresses: 192.168.20.100 192.168.10.1 fd70:5f2:3744::1 Connections: tunnel: %any...X.X.X.X IKEv2, dpddelay=30s tunnel: local: uses pre-shared key authentication tunnel: remote: [X.X.X.X] uses pre-shared key authentication tunnel: child: dynamic === dynamic TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): tunnel[1]: ESTABLISHED 22 minutes ago, 192.168.20.100[192.168.20.100]...X.X.X.X[X.X.X.X] tunnel[1]: IKEv2 SPIs: 031ec8d3758cc169_i* a8c47adc292f6d3f_r, pre-shared key reauthentication in 2 hours tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 On Tuesday 20 February 2018 09:20 PM, Jafar Al-Gharaibeh wrote: Sujoy, It is really hard to help you if don't give us full information only sending us one picture at a time. Please use test files, they are easier to navigate than screen shots. Your last question below is a repeat to a question that I answered before. If you want proper diagnose of the problem please send the configuration files,logs, routing table at both ends. see 8 at: https://wiki.strongswan.org/projects/strongswan/wiki/HelpRequests Make sure to increase the debug level in your ipsec.conf files at both ends, something like: config setup charondebug="ike 3, net 3, mgr 3, esp 3, chd 3, dmn 3, cfg 3, knl 3" Regards, Jafar On 2/20/2018 8:00 AM, Sujoy wrote: Hi Jafar, I am able to establish tunnel when I try to connect from LAN IP. But with same configuration(Firewall setting) and same OS version it failed to establish tunnel with *nated public IP*. What means parsed "failed to establish CHILD_SA, keeping IKE_SA". Please let me know if you have any idea regarding this issue.
