<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>Alas,</div>
<div>this is the only think on which I can rest assured!</div>
<div> </div>
<div>Oct 3 16:31:06 magdala pluto[16575]: "roadwarrior/0x1" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2<br/>
Oct 3 16:31:06 magdala pluto[16575]: "roadwarrior/0x1" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x022c3823 <0xcf2e9985 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}</div>
<div>
<div> </div>
<div>I think that the checkpoint expects my packets coming from 192.168.1.11, but instead it receives them from 192.168.100.100 and so drops them...</div>
<div> </div>
<div>:-(</div>
<div> </div>
<div>Ideas?</div>
<div> </div>
<div>Thanks, Luca</div>
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Sent:</b> Friday, October 03, 2014 at 4:18 PM<br/>
<b>From:</b> "Nick Howitt" <nick@howitts.co.uk><br/>
<b>To:</b> "Luca Arzeni" <l.arzeni@iname.com><br/>
<b>Cc:</b> users <users@lists.openswan.org><br/>
<b>Subject:</b> Re: [Openswan Users] Connection to checkpoint FT NG: ip alias using netkey</div>
<div name="quoted-content">
<div style="background-color: rgb(255,255,255);">You need to SNAT traffic from 192.168.100.100 to 192.168.1.11 so my rule was correct. You don't appear to be using your original ipsec.conf where leftsubnet was set to 192.168.1.11/32. With your current set up I doubt that you have an IPsec VPN established. Check your /var/log/messages for an "IPsec SA established" message to see if you have a tunnel established.<br/>
<div class="moz-cite-prefix">On 03/10/2014 15:01, Luca Arzeni wrote:</div>
<blockquote>
<div style="font-family: Verdana;font-size: 12.0px;">
<div>Sorry Nick, but may be I did a mistake:</div>
<div>you wrote:</div>
<div> </div>
<div>iptables -t nat -I POSTROUTING -d 192.168.2.0/23 -j SNAT --to<br/>
192.168.1.11</div>
<div> </div>
<div>That is: place as --to the SNAT the leftsourceip</div>
<div>=> <span style="font-family: Verdana , sans-serif , Arial , "Trebuchet MS";font-size: 13.0px;line-height: 1.6em;">If I do this I get a: no route to host message!</span></div>
<div> </div>
<div>I've also tested with:</div>
<div>iptables -t nat -I POSTROUTING -d 192.168.2.0/23 -j SNAT --to<br/>
192.168.100.100</div>
<div> </div>
<div>That is: place as --to the SNAT my real ip, <br/>
=> and this way I've got a timeout message on ssh.</div>
<div> </div>
<div>Just to recap, my current config is:</div>
<div>==========</div>
<div>config setup<br/>
dumpdir=/var/run/pluto/<br/>
nat_traversal=yes<br/>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<br/>
oe=off<br/>
protostack=netkey # I set this to avoid warning message at connection startup</div>
<div>conn roadwarrior<br/>
left=%defaultroute<br/>
leftsubnet=192.168.100.100/32 # client IP, I need to set it because I'm using also a "rightsubnets" list<br/>
leftcert=my_crt.pem<br/>
leftrsasigkey=%cert<br/>
leftid=%fromcert<br/>
leftsourceip=192.168.1.11<br/>
#<br/>
right=Y.Z.W.T<br/>
rightsubnets={ 192.168.2.0/24 192.168.3.0/24 }<br/>
rightcert=fw_crt.pem<br/>
rightrsasigkey=%cert<br/>
rightid=Y.Z.W.T<br/>
#<br/>
auto=start</div>
<div>=========</div>
<div>Then: </div>
<div> </div>
<div>With NO rule in nat table</div>
<div>=> I've got a: "No route to host" message</div>
<div> </div>
<div>
<div style="font-family: Verdana;font-size: 12.0px;line-height: 19.2px;">With rule:</div>
<div style="font-family: Verdana;font-size: 12.0px;line-height: 19.2px;"><span style="font-family: Verdana;font-size: 12.0px;line-height: 19.2px;">iptables -t nat -I POSTROUTING -d 192.168.2.0/23 -j SNAT --to</span><br style="font-family: Verdana;font-size: 12.0px;line-height: 19.2px;"/>
<span style="font-family: Verdana;font-size: 12.0px;line-height: 19.2px;">192.168.1.11</span></div>
<div style="font-family: Verdana;font-size: 12.0px;line-height: 19.2px;">=> I've got: "No route to host" message</div>
<div style="font-family: Verdana;font-size: 12.0px;line-height: 19.2px;"> </div>
<div style="font-family: Verdana;font-size: 12.0px;line-height: 19.2px;">
<div style="font-family: Verdana;font-size: 12.0px;line-height: 19.2px;">With rule:</div>
<div style="font-family: Verdana;font-size: 12.0px;line-height: 19.2px;">iptables -t nat -I POSTROUTING -d 192.168.2.0/23 -j SNAT --to<br/>
192.168.100.100</div>
<div>=> <span style="font-family: Verdana;font-size: 12.0px;line-height: 19.2px;"> I've got: "</span>Connection timed out" message</div>
<div> </div>
<div>The behaviour is the same if I set <span style="font-family: Verdana;font-size: 12.0px;line-height: 19.2px;">192.168.1.11 (leftsourceip)</span> as alias to my eth0 and even if I don't set it.</div>
<div> </div>
<div>I've no other idea!</div>
<div> </div>
<div>I'm wandering if this is a limit of my openswan release (2.6.37-3+deb7u1) and if, in future revision it could work...</div>
<div>What do you think?</div>
<div> </div>
<div>Thanks,</div>
<div>Luca</div>
<div> </div>
</div>
<div style="font-family: Verdana;font-size: 12.0px;line-height: 19.2px;"> </div>
</div>
<div>
<div style="margin: 10.0px 5.0px 5.0px 10.0px;padding: 10.0px 0 10.0px 10.0px;border-left: 2.0px solid rgb(195,217,229);">
<div style="margin: 0 0 10.0px 0;"><b>Sent:</b> Friday, October 03, 2014 at 3:45 PM<br/>
<b>From:</b> "Nick Howitt" <a class="moz-txt-link-rfc2396E" href="nick@howitts.co.uk" target="_parent"><nick@howitts.co.uk></a><br/>
<b>To:</b> "Luca Arzeni" <a class="moz-txt-link-rfc2396E" href="l.arzeni@iname.com" target="_parent"><l.arzeni@iname.com></a><br/>
<b>Cc:</b> users <a class="moz-txt-link-rfc2396E" href="users@lists.openswan.org" target="_parent"><users@lists.openswan.org></a><br/>
<b>Subject:</b> Re: [Openswan Users] Connection to checkpoint FT NG: ip alias using netkey</div>
<div>
<div style="background-color: rgb(255,255,255);">Try un-setting the alias. I don't think it is necessary but I have no more ideas.<br/>
Nick<br/>
<div class="moz-cite-prefix">On 03/10/2014 14:31, Luca Arzeni wrote:</div>
<blockquote>
<div style="font-family: Verdana;font-size: 12.0px;">
<div>No way:Connection timed out</div>
<div> </div>
<div>/sbin/iptables -L -n -t nat <br/>
Chain PREROUTING (policy ACCEPT)<br/>
target prot opt source destination </div>
<div>Chain INPUT (policy ACCEPT)<br/>
target prot opt source destination </div>
<div>Chain OUTPUT (policy ACCEPT)<br/>
target prot opt source destination </div>
<div>Chain POSTROUTING (policy ACCEPT)<br/>
target prot opt source destination <br/>
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec<br/>
SNAT all -- 0.0.0.0/0 192.168.3.0/24 to:192.168.1.11</div>
<div> </div>
<div>I'm wandering if the problem is caused by the ip alias, which is out of my 192.168.100.0/24 network...</div>
<div> </div>
<div>What do toy think?</div>
<div> </div>
<div> </div>
<div>
<div style="margin: 10.0px 5.0px 5.0px 10.0px;padding: 10.0px 0 10.0px 10.0px;border-left: 2.0px solid rgb(195,217,229);">
<div style="margin: 0 0 10.0px 0;"><b>Sent:</b> Friday, October 03, 2014 at 3:20 PM<br/>
<b>From:</b> "Nick Howitt" <a class="moz-txt-link-rfc2396E"><nick@howitts.co.uk></a><br/>
<b>To:</b> "Luca Arzeni" <a class="moz-txt-link-rfc2396E"><l.arzeni@iname.com></a><br/>
<b>Cc:</b> users <a class="moz-txt-link-rfc2396E"><users@lists.openswan.org></a><br/>
<b>Subject:</b> Re: [Openswan Users] Connection to checkpoint FT NG: ip alias using netkey</div>
<div>
<div style="background-color: rgb(255,255,255);">What firewall rules do you have. If your connection is being established presumably you are allowing incoming UDP:4500 in your roadwarrior. Do you also have a rule to allow traffic into the tunnel? There are lots of different variants I've seen but this generic one should work:
<blockquote>iptables -t nat -I POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT</blockquote>
Nick<br/>
<div class="moz-cite-prefix">On 03/10/2014 14:02, Luca Arzeni wrote:</div>
<blockquote>
<div style="font-family: Verdana;font-size: 12.0px;">
<div>
<div>Hi Nick,</div>
<div>I've tried but I've got a timeout:</div>
<div>ssh 192.168.3.10<br/>
ssh: connect to host 192.168.3.10 port 22: Connection timed out</div>
<div> </div>
<div>Is it the firewall is discarding my packets?</div>
<div><span>Any hint?</span></div>
<div> </div>
<div>Thanks,</div>
<div>Luca</div>
<div> </div>
<div>
<div style="margin: 10.0px 5.0px 5.0px 10.0px;padding: 10.0px 0 10.0px 10.0px;border-left: 2.0px solid rgb(195,217,229);">
<div style="margin: 0 0 10.0px 0;"><b>Sent:</b> Monday, September 29, 2014 at 2:12 PM<br/>
<b>From:</b> "Nick Howitt" <a class="moz-txt-link-rfc2396E"><nick@howitts.co.uk></a><br/>
<b>To:</b> "Luca Arzeni" <a class="moz-txt-link-rfc2396E"><l.arzeni@iname.com></a><br/>
<b>Cc:</b> users <a class="moz-txt-link-rfc2396E"><users@lists.openswan.org></a><br/>
<b>Subject:</b> Re: [Openswan Users] Connection to checkpoint FT NG: ip alias using netkey</div>
<div>Does it work if you use your initial configuration then, in your client<br/>
at home, add a firewall rule:<br/>
<br/>
iptables -t nat -I POSTROUTING -d 192.168.2.0/23 -j SNAT --to<br/>
192.168.1.11<br/>
<br/>
You can get more selective with the firewall rule if you need to.<br/>
<br/>
Nick<br/>
<br/>
<br/>
On 2014-09-29 10:29, Luca Arzeni wrote:<br/>
> Hi,<br/>
> (it seems that my previous request was unreadable, so here is a plain<br/>
> text one... I apologize...)<br/>
> I'm trying to setup a connection form a linux roadwarrior to<br/>
> checkpoint ng Firewall<br/>
> client environment: debian wheezy 7.6 amd64, openswan 2.6.37-3+deb7u1,<br/>
> kernel 3.2.60-1+deb7u3 x86_64, NETKEY<br/>
><br/>
> Topology:<br/>
><br/>
> client (dhcp ip 192.168.1.11)<br/>
> |<br/>
> |<br/>
> ADSL GW/NAT(public ip unknown)<br/>
> |<br/>
> |<br/>
> (INTERNET)<br/>
> |<br/>
> |<br/>
> CP FIREWALL (public ip Y.Z.W.T)<br/>
> |<br/>
> |<br/>
> two subnets (192.168.2.0/24 192.168.3.0/24)<br/>
><br/>
> The connection works fine using this setup:<br/>
><br/>
> # /etc/ipsec.conf - Openswan IPsec configuration file<br/>
> version 2.0 # conforms to second version of ipsec.conf specification<br/>
> config setup<br/>
> dumpdir=/var/run/pluto/<br/>
> nat_traversal=yes<br/>
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<br/>
> oe=off<br/>
> protostack=netkey # I set this to avoid warning message at connection<br/>
> startup<br/>
><br/>
> conn roadwarrior<br/>
> left=%defaultroute<br/>
> leftsubnet=192.168.1.11/32 # client IP, I need to set it because I'm<br/>
> using also a "rightsubnets" list<br/>
> leftcert=client_crt.pem<br/>
> leftrsasigkey=%cert<br/>
> leftid=%fromcert<br/>
> #<br/>
> right=Y.Z.W.T<br/>
> rightsubnets={ 192.168.2.0/24 192.168.3.0/24 }<br/>
> rightcert=firewall_cert.pem<br/>
> rightrsasigkey=%cert<br/>
> rightid=Y.Z.W.T<br/>
> #<br/>
> auto=start<br/>
><br/>
> PROBLEM: This setup works fine until I use client IP 192.168.1.11,<br/>
> which is registered and well known by checkpoint firewall as a valid<br/>
> client IP address.<br/>
> BUT when I go home, my client gets a different ip (let's say<br/>
> 192.168.100.100), since at home I'm using a different subnet (to allow<br/>
> connections also to my office).<br/>
><br/>
> Now, in my understanding, checkpoint has found a workaround to solve<br/>
> this issue.<br/>
> Usually, under windows, roadwarrior clients connect to the CP<br/>
> firewalls using a dedicated software made by Checkpoint developers.<br/>
> This software creates a virtual network interface, assigns to this<br/>
> interface the well known client ip (192.168.1.11) and route all<br/>
> traffic through this interface.<br/>
> I've tested this software at my home and it works fine.<br/>
><br/>
> I would like to mimic this behaviour under linux, so I set an ip alias<br/>
> to my eth0; now my eth0 will have 192.168.100.100 (assigned by DHCP<br/>
> server) AND 192.168.1.11 which I set manually on the interface, BUT I<br/>
> found no working configuration for openswan.<br/>
><br/>
><br/>
> Then I've done the following tests:<br/>
><br/>
><br/>
> 1) set leftsubnet using the home network ip, i.e.:<br/>
> leftsubnet=192.168.100.100/32 (%defaultroute will automagically set to<br/>
> 192.168.100.100)<br/>
> Connection seems to be OK, I can read in the logs the following<br/>
> message:<br/>
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode<br/>
> {ESP=>0x20906a71 <0x22c34963 xfrm=3DES_0-HMAC_SHA1 NATOA=none<br/>
> NATD=none DPD=none}<br/>
> *** BUT *** ip route list shows that there is no route to servers<br/>
><br/>
> 2) then I've add leftsourceip=192.168.1.11<br/>
> Connection seems to be OK, I can read in the logs the following<br/>
> message:<br/>
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode<br/>
> {ESP=>0xcd521b9a <0xc6eb8d94 xfrm=3DES_0-HMAC_SHA1 NATOA=none<br/>
> NATD=none DPD=none}<br/>
> ip route list shows that now the routes are available:<br/>
> 192.168.3.0/24 dev eth0 scope link src 192.168.1.11<br/>
> *** BUT *** if I try to connect to a server, I receive the message:<br/>
>> ssh 192.168.3.10<br/>
>> ssh: connect to host 192.168.3.10 port 22: No route to host<br/>
><br/>
> 3) use leftsubnet=192.168.1.11/32 (that is the office subnet)<br/>
> Connection cannot be established, in the logs I can see:<br/>
> "roadwarrior/0x6" #1: ignoring informational payload, type<br/>
> INVALID_ID_INFORMATION msgid=00000000<br/>
> "roadwarrior/0x6" #1: received and ignored informational message<br/>
> This is NOT working at all.<br/>
><br/>
> 4) set leftsubnets={ 192.168.1.11/32 192.168.100.100/32}<br/>
> at start I receive, after the usual message: "ipsec_setup: multiple ip<br/>
> addresses, using 192.168.100.100 on eth0"<br/>
> the followin (more promising!) message: "ipsec_setup: defaulting<br/>
> leftsubnet to 192.168.1.11"<br/>
> *** BUT *** in the logs, I see:<br/>
> "roadwarrior/2x6" #1: ignoring informational payload, type<br/>
> INVALID_ID_INFORMATION msgid=00000000<br/>
> "roadwarrior/2x6" #1: received and ignored informational message<br/>
> "roadwarrior/1x2" #3: transition from state STATE_QUICK_I1 to state<br/>
> STATE_QUICK_I2<br/>
> "roadwarrior/1x2" #3: STATE_QUICK_I2: sent QI2, IPsec SA established<br/>
> tunnel mode {ESP=>0xfcb61ef1 <0x228bfdf9 xfrm=3DES_0-HMAC_SHA1<br/>
> NATOA=none NATD=none DPD=none}<br/>
> so it looks like that really only the first subnet is working, and<br/>
> still I have "no route to host message" when I try to connect.<br/>
><br/>
> === CONCLUSION ===<br/>
><br/>
> I guess that the 2 configuration is the right one, but I'm missing<br/>
> something...<br/>
> Can someone help me?<br/>
><br/>
> Thanks,<br/>
> larzeni<br/>
> _______________________________________________<br/>
> <a class="moz-txt-link-abbreviated">Users@lists.openswan.org</a><br/>
> <a href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br/>
> Micropayments: <a href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy" target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br/>
> Building and Integrating Virtual Private Networks with Openswan:<br/>
> <a href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155" target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div></div></body></html>