Encapsulating Security Protocol (ESP) is IP protocol 50. It has a protocol number in its own right, just as ICMP, TCP and UDP do, and is arguably the right protocol to use for encrypted tunnels.
However, although TCP and UDP have both ip addresses and port numbers associated with both source and destination, ICMP and ESP don't. It's the combination of ports and addresses that make NAT and tunneling practical; without them, traffic is very difficult to handle.
The problem is that, when a tunneling (or NAT) device has two or more input UDP streams to pass on to a single endpoint, and the responses come back from that endpoint to the tunneling device, the source port numbers can be used to disambiguate the two streams. With ESP, there is no port number to serve as disambiguator, so it's hard for the tunneling endpoint to know which of several ESP sources that ESP response should be tunneled back to.
IPSec, which by default also uses ESP, some time ago codified the NAT-traversal extensions, which use UDP/4500 instead. I don't know that L2TP has such a mode, and without it, I fear you won't be able to do what you want to do.
I hope I'm wrong about that, and that someone else will come along and post a better answer. But in the absence of that, I thought I should at least try to explain what ESP is, and why it is a tunneling headache.
ssh -L 8192:192.0.2.3:8192 198.51.100.7
then access http://localhost:8192/
What this does is:
-L
= Listen on a local port (where the ssh client is running)
8192
= Listen on port 8192
192.0.2.3:8192
= When a connection comes in to 8192 to the ssh client, forward that across the SSH tunnel and connect out to 192.0.2.3:8192
198.51.100.7
is the normal "server you want to ssh to"
Best Answer
I finally managed to accomplish this with
ssh
only:ssh -D
) EDIT: not necessary with SSH>7.6ssh -R
) to your local SOCKS proxy1. Start local socks proxy in the background
EDIT SSH>7.6 allow a simpler syntax to start the proxy. Skip this and continue with step 2!
Connect to localhost via SSH and open SOCKS proxy on port 54321.
-f
runs SSH in the background.Note: If you close the terminal where you started the command, the proxy process will be killed. Also remember to clean up after yourself by either closing the terminal window when you are done or by killing the process yourself!
2. connect to remote server and setup reverse port forwarding
Bind remote port 6666 to local port 54321. This makes your local socks proxy available to the remote site on port 6666.
EDIT SSH>7.6 allows a simpler syntax to start the proxy! Step 1 is not needed then:
3. configure the server software to use the forwarded proxy
Just configure yum, apt, curl, wget or any other tool that supports SOCKS to use the proxy
127.0.0.1:6666
.Voilá! Happy tunneling!
4. optional: install proxychains to make things easy
proxychains
installed on the target server enables any software to use the forwarded SOCKS proxy (eventelnet
). It uses aLD_PRELOAD
trick to redirect TCP and DNS requests from arbitrary commands into a proxy and is really handy.Setup
/etc/proxychains.conf
to use the forwarded socks proxy:Tunnel arbitrary tools (that use TCP) with
proxychains
: