Project

General

Profile

Issue #3370

Endpoint Tunneling - Can connect Point A, can ping server on Point B, but cannot access seerver URL:8080 from point B

Added by gilbert vaudein 8 months ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Category:
network / firewall
Affected version:
5.6.2
Resolution:
No feedback

Description

Hi Guys,

I am new into Strongswan.

I just took over a network infrastructure.

So, the situation is that I can connect to Endpoint A that allow me to have a connection on Endpoint B

Endpoint A ipsec statusall:

gilbert@vpn-endpoint-A-prod:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.0.0-1021-gcp, x86_64):
  uptime: 61 minutes, since Mar 13 15:02:04 2020
  malloc: sbrk 2334720, mmap 532480, used 1612160, free 722560
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Virtual IP pools (size/online/offline):
  10.25.2.0/24: 254/1/1
Listening IP addresses:
  10.25.1.2
Connections:
   bf_tunnel:  10.25.1.0/24...192.xxx.12x.2  IKEv2, dpddelay=300s
   bf_tunnel:   local:  [34.xx.14.x5] uses pre-shared key authentication
   bf_tunnel:   remote: [192.xxx.12x.2] uses pre-shared key authentication
   bf_tunnel:   child:  10.25.2.0/24 === 192.168.10.0/24 TUNNEL, dpdaction=clear
       bf_in:  10.25.1.2...%any  IKEv2
       bf_in:   local:  [34.xx.14.x5] uses public key authentication
       bf_in:    cert:  "C=UK, O=VPN Server, CN=34.xx.14.x5" 
       bf_in:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
       bf_in:   child:  192.168.10.0/24 === dynamic TUNNEL
Security Associations (2 up, 0 connecting):
       bf_in[5]: ESTABLISHED 36 minutes ago, 10.25.1.2[34.xx.14.x5]...185.69.145.81[172.20.10.2]
       bf_in[5]: Remote EAP identity: gilbertv
       bf_in[5]: IKEv2 SPIs: b854cd16cfb1bc00_i 1fa3c38d61af8218_r*, rekeying disabled
       bf_in[5]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
   bf_tunnel[1]: ESTABLISHED 61 minutes ago, 10.25.1.2[34.xx.14.x5]...192.xxx.12x.2[192.xxx.12x.2]
   bf_tunnel[1]: IKEv2 SPIs: 0645c475c0df714a_i db403a5144695e98_r*, pre-shared key reauthentication in 103 minutes
   bf_tunnel[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
   bf_tunnel{6}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c35f735d_i cce7720a_o
   bf_tunnel{6}:  AES_CBC_256/HMAC_SHA1_96, 12558 bytes_i (20 pkts, 747s ago), 1337 bytes_o (20 pkts, 386s ago), rekeying in 30 minutes
   bf_tunnel{6}:   10.25.2.0/24 === 192.168.10.0/24

Endpoint B ipsec statusall:

gilbert@Endpoint-B:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-50-generic, x86_64):
  uptime: 4 days, since Mar 09 13:04:35 2020
  malloc: sbrk 3416064, mmap 532480, used 1725136, free 1690928
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Listening IP addresses:
  192.168.10.2
Connections:
   bf_tunnel:  %any...34.xx.14.x5  IKEv2, dpddelay=300s
   bf_tunnel:   local:  [192.xxx.12x.2] uses pre-shared key authentication
   bf_tunnel:   remote: [34.xx.14.x5] uses pre-shared key authentication
   bf_tunnel:   child:  192.168.10.0/24 === 10.25.2.0/24 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
   bf_tunnel[40]: ESTABLISHED 71 minutes ago, 192.168.10.2[192.xxx.12x.2]...34.xx.14.x5[34.xx.14.x5]
   bf_tunnel[40]: IKEv2 SPIs: 0645c475c0df714a_i* db403a5144695e98_r, pre-shared key reauthentication in 85 minutes
   bf_tunnel[40]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
   bf_tunnel{152}:  INSTALLED, TUNNEL, reqid 40, ESP in UDP SPIs: cce7720a_i c35f735d_o
   bf_tunnel{152}:  AES_CBC_256/HMAC_SHA1_96, 1337 bytes_i (20 pkts, 969s ago), 12558 bytes_o (20 pkts, 1330s ago), rekeying in 18 minutes
   bf_tunnel{152}:   192.168.10.0/24 === 10.25.2.0/24

I can ping internal IP on Endpint B: 192.168.10.21

But cannot access the URL: 192.168.10.21:8080

Some can help? Thanks.

History

#1 Updated by Tobias Brunner 8 months ago

  • Description updated (diff)
  • Status changed from New to Feedback
  • Priority changed from Urgent to Normal

I can ping internal IP on Endpint B: 192.168.10.21

But cannot access the URL: 192.168.10.21:8080

Sounds like a firewall or application layer issue.

#2 Updated by gilbert vaudein 8 months ago

Hi,

And thanks you for your help.

The firewalls are disable within both end.

However, you can RDP into desktop sessions within the tuneling.

Thanks for you help.
.

#3 Updated by gilbert vaudein 8 months ago

Ok, Maybe I will rephrase.

What I need is the fact to have access to the full network (URL, services, etc).
RDP is working fine, I can ssh into any nodes, however, I've noticed that on ssh connection, I can login perfectly well, but when lauching a command, the command get lauched, but it locks itself.

I've disabled fail2ban.

#4 Updated by gilbert vaudein 8 months ago

Tobias Brunner wrote:

I can ping internal IP on Endpint B: 192.168.10.21

But cannot access the URL: 192.168.10.21:8080

Sounds like a firewall or application layer issue.

THe firewall is disabled.

"Sounds like a firewall or application layer issue." How to intervene on the application layer?

Thanks.

#5 Updated by Tobias Brunner 7 months ago

How to intervene on the application layer?

I guess that depends on the protocol/application. Make sure a process is listening on that IP/port and it's generally reachable, and that there are no restrictions in regards to client IPs etc., and that return traffic from it is correctly routed/addressed/sent back. Basically follow the traffic (via traffic counters/captures) to see where it might get stuck.

#6 Updated by Tobias Brunner about 1 month ago

  • Category set to network / firewall
  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No feedback

Also available in: Atom PDF