<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
That looks like your tunnel is working.<br>
<br>
Have you changed leftsubnet back to 192.168.1.11/32?<br>
<br>
<div class="moz-cite-prefix">On 03/10/2014 15:34, Luca Arzeni wrote:<br>
</div>
<blockquote
cite="mid:trinity-61ac313e-73ef-46b2-b1b1-98493b701f5f-1412346853682@3capp-mailcom-lxa03"
type="cite">
<div style="font-family: Verdana;font-size: 12.0px;">
<div>
<div>Alas,</div>
<div>this is the only think on which I can rest assured!</div>
<div> </div>
<div>Oct 3 16:31:06 magdala pluto[16575]: "roadwarrior/0x1"
#2: transition from state STATE_QUICK_I1 to state
STATE_QUICK_I2<br>
Oct 3 16:31:06 magdala pluto[16575]: "roadwarrior/0x1" #2:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
{ESP=>0x022c3823 <0xcf2e9985 xfrm=3DES_0-HMAC_SHA1
NATOA=none NATD=none DPD=none}</div>
<div>
<div> </div>
<div>I think that the checkpoint expects my packets coming
from 192.168.1.11, but instead it receives them
from 192.168.100.100 and so drops them...</div>
<div> </div>
<div>:-(</div>
<div> </div>
<div>Ideas?</div>
<div> </div>
<div>Thanks, Luca</div>
<div name="quote" style="margin:10px 5px 5px 10px; padding:
10px 0 10px 10px; border-left:2px solid #C3D9E5;
word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Sent:</b> Friday,
October 03, 2014 at 4:18 PM<br>
<b>From:</b> "Nick Howitt" <a class="moz-txt-link-rfc2396E" href="mailto:nick@howitts.co.uk"><nick@howitts.co.uk></a><br>
<b>To:</b> "Luca Arzeni" <a class="moz-txt-link-rfc2396E" href="mailto:l.arzeni@iname.com"><l.arzeni@iname.com></a><br>
<b>Cc:</b> users <a class="moz-txt-link-rfc2396E" href="mailto:users@lists.openswan.org"><users@lists.openswan.org></a><br>
<b>Subject:</b> Re: [Openswan Users] Connection to
checkpoint FT NG: ip alias using netkey</div>
<div name="quoted-content">
<div style="background-color: rgb(255,255,255);">You
need to SNAT traffic from 192.168.100.100 to
192.168.1.11 so my rule was correct. You don't appear
to be using your original ipsec.conf where leftsubnet
was set to 192.168.1.11/32. With your current set up I
doubt that you have an IPsec VPN established. Check
your /var/log/messages for an "IPsec SA established"
message to see if you have a tunnel established.<br>
<div class="moz-cite-prefix">On 03/10/2014 15:01, Luca
Arzeni wrote:</div>
<blockquote>
<div style="font-family: Verdana;font-size: 12.0px;">
<div>Sorry Nick, but may be I did a mistake:</div>
<div>you wrote:</div>
<div> </div>
<div>iptables -t nat -I POSTROUTING -d
192.168.2.0/23 -j SNAT --to<br>
192.168.1.11</div>
<div> </div>
<div>That is: place as --to the SNAT the
leftsourceip</div>
<div>=> <span style="font-family: Verdana ,
sans-serif , Arial , "Trebuchet
MS";font-size: 13.0px;line-height:
1.6em;">If I do this I get a: no route to host
message!</span></div>
<div> </div>
<div>I've also tested with:</div>
<div>iptables -t nat -I POSTROUTING -d
192.168.2.0/23 -j SNAT --to<br>
192.168.100.100</div>
<div> </div>
<div>That is: place as --to the SNAT my real ip, <br>
=> and this way I've got a timeout message on
ssh.</div>
<div> </div>
<div>Just to recap, my current config is:</div>
<div>==========</div>
<div>config setup<br>
dumpdir=/var/run/pluto/<br>
nat_traversal=yes<br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<br>
oe=off<br>
protostack=netkey # I set this to avoid
warning message at connection startup</div>
<div>conn roadwarrior<br>
left=%defaultroute<br>
leftsubnet=192.168.100.100/32 # client
IP, I need to set it because I'm using also a
"rightsubnets" list<br>
leftcert=my_crt.pem<br>
leftrsasigkey=%cert<br>
leftid=%fromcert<br>
leftsourceip=192.168.1.11<br>
#<br>
right=Y.Z.W.T<br>
rightsubnets={ 192.168.2.0/24
192.168.3.0/24 }<br>
rightcert=fw_crt.pem<br>
rightrsasigkey=%cert<br>
rightid=Y.Z.W.T<br>
#<br>
auto=start</div>
<div>=========</div>
<div>Then: </div>
<div> </div>
<div>With NO rule in nat table</div>
<div>=> I've got a: "No route to host" message</div>
<div> </div>
<div>
<div style="font-family: Verdana;font-size:
12.0px;line-height: 19.2px;">With rule:</div>
<div style="font-family: Verdana;font-size:
12.0px;line-height: 19.2px;"><span
style="font-family: Verdana;font-size:
12.0px;line-height: 19.2px;">iptables -t nat
-I POSTROUTING -d 192.168.2.0/23 -j SNAT
--to</span><br style="font-family:
Verdana;font-size: 12.0px;line-height:
19.2px;">
<span style="font-family: Verdana;font-size:
12.0px;line-height: 19.2px;">192.168.1.11</span></div>
<div style="font-family: Verdana;font-size:
12.0px;line-height: 19.2px;">=> I've
got: "No route to host" message</div>
<div style="font-family: Verdana;font-size:
12.0px;line-height: 19.2px;"> </div>
<div style="font-family: Verdana;font-size:
12.0px;line-height: 19.2px;">
<div style="font-family: Verdana;font-size:
12.0px;line-height: 19.2px;">With rule:</div>
<div style="font-family: Verdana;font-size:
12.0px;line-height: 19.2px;">iptables -t nat
-I POSTROUTING -d 192.168.2.0/23 -j SNAT
--to<br>
192.168.100.100</div>
<div>=> <span style="font-family:
Verdana;font-size: 12.0px;line-height:
19.2px;"> I've got: "</span>Connection
timed out" message</div>
<div> </div>
<div>The behaviour is the same if I set <span
style="font-family: Verdana;font-size:
12.0px;line-height: 19.2px;">192.168.1.11
(leftsourceip)</span> as alias to my eth0
and even if I don't set it.</div>
<div> </div>
<div>I've no other idea!</div>
<div> </div>
<div>I'm wandering if this is a limit of my
openswan release (2.6.37-3+deb7u1) and if,
in future revision it could work...</div>
<div>What do you think?</div>
<div> </div>
<div>Thanks,</div>
<div>Luca</div>
<div> </div>
</div>
<div style="font-family: Verdana;font-size:
12.0px;line-height: 19.2px;"> </div>
</div>
<div>
<div style="margin: 10.0px 5.0px 5.0px
10.0px;padding: 10.0px 0 10.0px
10.0px;border-left: 2.0px solid
rgb(195,217,229);">
<div style="margin: 0 0 10.0px 0;"><b>Sent:</b> Friday,
October 03, 2014 at 3:45 PM<br>
<b>From:</b> "Nick Howitt" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="nick@howitts.co.uk" target="_parent"><nick@howitts.co.uk></a><br>
<b>To:</b> "Luca Arzeni" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="l.arzeni@iname.com" target="_parent"><l.arzeni@iname.com></a><br>
<b>Cc:</b> users <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="users@lists.openswan.org"
target="_parent"><users@lists.openswan.org></a><br>
<b>Subject:</b> Re: [Openswan Users]
Connection to checkpoint FT NG: ip alias
using netkey</div>
<div>
<div style="background-color:
rgb(255,255,255);">Try un-setting the
alias. I don't think it is necessary but I
have no more ideas.<br>
Nick<br>
<div class="moz-cite-prefix">On 03/10/2014
14:31, Luca Arzeni wrote:</div>
<blockquote>
<div style="font-family:
Verdana;font-size: 12.0px;">
<div>No way:Connection timed out</div>
<div> </div>
<div>/sbin/iptables -L -n -t nat <br>
Chain PREROUTING (policy ACCEPT)<br>
target prot opt source
destination </div>
<div>Chain INPUT (policy ACCEPT)<br>
target prot opt source
destination </div>
<div>Chain OUTPUT (policy ACCEPT)<br>
target prot opt source
destination </div>
<div>Chain POSTROUTING (policy ACCEPT)<br>
target prot opt source
destination <br>
ACCEPT all -- 0.0.0.0/0
0.0.0.0/0 policy
match dir out pol ipsec<br>
SNAT all -- 0.0.0.0/0
192.168.3.0/24
to:192.168.1.11</div>
<div> </div>
<div>I'm wandering if the problem is
caused by the ip alias, which is out
of my 192.168.100.0/24 network...</div>
<div> </div>
<div>What do toy think?</div>
<div> </div>
<div> </div>
<div>
<div style="margin: 10.0px 5.0px
5.0px 10.0px;padding: 10.0px 0
10.0px 10.0px;border-left: 2.0px
solid rgb(195,217,229);">
<div style="margin: 0 0 10.0px 0;"><b>Sent:</b> Friday,
October 03, 2014 at 3:20 PM<br>
<b>From:</b> "Nick Howitt" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"><nick@howitts.co.uk></a><br>
<b>To:</b> "Luca Arzeni" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"><l.arzeni@iname.com></a><br>
<b>Cc:</b> users <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"><users@lists.openswan.org></a><br>
<b>Subject:</b> Re: [Openswan
Users] Connection to checkpoint
FT NG: ip alias using netkey</div>
<div>
<div style="background-color:
rgb(255,255,255);">What
firewall rules do you have. If
your connection is being
established presumably you are
allowing incoming UDP:4500 in
your roadwarrior. Do you also
have a rule to allow traffic
into the tunnel? There are
lots of different variants
I've seen but this generic one
should work:
<blockquote>iptables -t nat -I
POSTROUTING -m policy --dir
out --pol ipsec -j ACCEPT</blockquote>
Nick<br>
<div class="moz-cite-prefix">On
03/10/2014 14:02, Luca
Arzeni wrote:</div>
<blockquote>
<div style="font-family:
Verdana;font-size:
12.0px;">
<div>
<div>Hi Nick,</div>
<div>I've tried but I've
got a timeout:</div>
<div>ssh 192.168.3.10<br>
ssh: connect to host
192.168.3.10 port 22:
Connection timed out</div>
<div> </div>
<div>Is it the firewall
is discarding my
packets?</div>
<div><span>Any hint?</span></div>
<div> </div>
<div>Thanks,</div>
<div>Luca</div>
<div> </div>
<div>
<div style="margin:
10.0px 5.0px 5.0px
10.0px;padding:
10.0px 0 10.0px
10.0px;border-left:
2.0px solid
rgb(195,217,229);">
<div style="margin:
0 0 10.0px 0;"><b>Sent:</b> Monday,
September 29, 2014
at 2:12 PM<br>
<b>From:</b> "Nick
Howitt" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"><nick@howitts.co.uk></a><br>
<b>To:</b> "Luca
Arzeni" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"><l.arzeni@iname.com></a><br>
<b>Cc:</b> users <a
moz-do-not-send="true" class="moz-txt-link-rfc2396E"><users@lists.openswan.org></a><br>
<b>Subject:</b> Re:
[Openswan Users]
Connection to
checkpoint FT NG:
ip alias using
netkey</div>
<div>Does it work if
you use your
initial
configuration
then, in your
client<br>
at home, add a
firewall rule:<br>
<br>
iptables -t nat -I
POSTROUTING -d
192.168.2.0/23 -j
SNAT --to<br>
192.168.1.11<br>
<br>
You can get more
selective with the
firewall rule if
you need to.<br>
<br>
Nick<br>
<br>
<br>
On 2014-09-29
10:29, Luca Arzeni
wrote:<br>
> Hi,<br>
> (it seems
that my previous
request was
unreadable, so
here is a plain<br>
> text one... I
apologize...)<br>
> I'm trying to
setup a connection
form a linux
roadwarrior to<br>
> checkpoint ng
Firewall<br>
> client
environment:
debian wheezy 7.6
amd64, openswan
2.6.37-3+deb7u1,<br>
> kernel
3.2.60-1+deb7u3
x86_64, NETKEY<br>
><br>
> Topology:<br>
><br>
> client (dhcp
ip 192.168.1.11)<br>
> |<br>
> |<br>
> ADSL
GW/NAT(public ip
unknown)<br>
> |<br>
> |<br>
> (INTERNET)<br>
> |<br>
> |<br>
> CP FIREWALL
(public ip
Y.Z.W.T)<br>
> |<br>
> |<br>
> two subnets
(192.168.2.0/24
192.168.3.0/24)<br>
><br>
> The
connection works
fine using this
setup:<br>
><br>
> #
/etc/ipsec.conf -
Openswan IPsec
configuration file<br>
> version 2.0 #
conforms to second
version of
ipsec.conf
specification<br>
> config setup<br>
>
dumpdir=/var/run/pluto/<br>
>
nat_traversal=yes<br>
>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<br>
> oe=off<br>
>
protostack=netkey
# I set this to
avoid warning
message at
connection<br>
> startup<br>
><br>
> conn
roadwarrior<br>
>
left=%defaultroute<br>
>
leftsubnet=192.168.1.11/32
# client IP, I
need to set it
because I'm<br>
> using also a
"rightsubnets"
list<br>
>
leftcert=client_crt.pem<br>
>
leftrsasigkey=%cert<br>
>
leftid=%fromcert<br>
> #<br>
> right=Y.Z.W.T<br>
>
rightsubnets={
192.168.2.0/24
192.168.3.0/24 }<br>
>
rightcert=firewall_cert.pem<br>
>
rightrsasigkey=%cert<br>
>
rightid=Y.Z.W.T<br>
> #<br>
> auto=start<br>
><br>
> PROBLEM: This
setup works fine
until I use client
IP 192.168.1.11,<br>
> which is
registered and
well known by
checkpoint
firewall as a
valid<br>
> client IP
address.<br>
> BUT when I go
home, my client
gets a different
ip (let's say<br>
>
192.168.100.100),
since at home I'm
using a different
subnet (to allow<br>
> connections
also to my
office).<br>
><br>
> Now, in my
understanding,
checkpoint has
found a workaround
to solve<br>
> this issue.<br>
> Usually,
under windows,
roadwarrior
clients connect to
the CP<br>
> firewalls
using a dedicated
software made by
Checkpoint
developers.<br>
> This software
creates a virtual
network interface,
assigns to this<br>
> interface the
well known client
ip (192.168.1.11)
and route all<br>
> traffic
through this
interface.<br>
> I've tested
this software at
my home and it
works fine.<br>
><br>
> I would like
to mimic this
behaviour under
linux, so I set an
ip alias<br>
> to my eth0;
now my eth0 will
have
192.168.100.100
(assigned by DHCP<br>
> server) AND
192.168.1.11 which
I set manually on
the interface, BUT
I<br>
> found no
working
configuration for
openswan.<br>
><br>
><br>
> Then I've
done the following
tests:<br>
><br>
><br>
> 1) set
leftsubnet using
the home network
ip, i.e.:<br>
>
leftsubnet=192.168.100.100/32
(%defaultroute
will automagically
set to<br>
>
192.168.100.100)<br>
> Connection
seems to be OK, I
can read in the
logs the following<br>
> message:<br>
>
STATE_QUICK_I2:
sent QI2, IPsec SA
established tunnel
mode<br>
>
{ESP=>0x20906a71
<0x22c34963
xfrm=3DES_0-HMAC_SHA1
NATOA=none<br>
> NATD=none
DPD=none}<br>
> *** BUT ***
ip route list
shows that there
is no route to
servers<br>
><br>
> 2) then I've
add
leftsourceip=192.168.1.11<br>
> Connection
seems to be OK, I
can read in the
logs the following<br>
> message:<br>
>
STATE_QUICK_I2:
sent QI2, IPsec SA
established tunnel
mode<br>
>
{ESP=>0xcd521b9a
<0xc6eb8d94
xfrm=3DES_0-HMAC_SHA1
NATOA=none<br>
> NATD=none
DPD=none}<br>
> ip route list
shows that now the
routes are
available:<br>
>
192.168.3.0/24 dev
eth0 scope link
src 192.168.1.11<br>
> *** BUT ***
if I try to
connect to a
server, I receive
the message:<br>
>> ssh
192.168.3.10<br>
>> ssh:
connect to host
192.168.3.10 port
22: No route to
host<br>
><br>
> 3) use
leftsubnet=192.168.1.11/32
(that is the
office subnet)<br>
> Connection
cannot be
established, in
the logs I can
see:<br>
>
"roadwarrior/0x6"
#1: ignoring
informational
payload, type<br>
>
INVALID_ID_INFORMATION
msgid=00000000<br>
>
"roadwarrior/0x6"
#1: received and
ignored
informational
message<br>
> This is NOT
working at all.<br>
><br>
> 4) set
leftsubnets={
192.168.1.11/32
192.168.100.100/32}<br>
> at start I
receive, after the
usual message:
"ipsec_setup:
multiple ip<br>
> addresses,
using
192.168.100.100 on
eth0"<br>
> the followin
(more promising!)
message:
"ipsec_setup:
defaulting<br>
> leftsubnet to
192.168.1.11"<br>
> *** BUT ***
in the logs, I
see:<br>
>
"roadwarrior/2x6"
#1: ignoring
informational
payload, type<br>
>
INVALID_ID_INFORMATION
msgid=00000000<br>
>
"roadwarrior/2x6"
#1: received and
ignored
informational
message<br>
>
"roadwarrior/1x2"
#3: transition
from state
STATE_QUICK_I1 to
state<br>
>
STATE_QUICK_I2<br>
>
"roadwarrior/1x2"
#3:
STATE_QUICK_I2:
sent QI2, IPsec SA
established<br>
> tunnel mode
{ESP=>0xfcb61ef1
<0x228bfdf9
xfrm=3DES_0-HMAC_SHA1<br>
> NATOA=none
NATD=none
DPD=none}<br>
> so it looks
like that really
only the first
subnet is working,
and<br>
> still I have
"no route to host
message" when I
try to connect.<br>
><br>
> ===
CONCLUSION ===<br>
><br>
> I guess that
the 2
configuration is
the right one, but
I'm missing<br>
> something...<br>
> Can someone
help me?<br>
><br>
> Thanks,<br>
> larzeni<br>
>
_______________________________________________<br>
> <a
moz-do-not-send="true"
class="moz-txt-link-abbreviated">Users@lists.openswan.org</a><br>
> <a
moz-do-not-send="true"
href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
>
Micropayments: <a
moz-do-not-send="true"
href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy"
target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
> Building and
Integrating
Virtual Private
Networks with
Openswan:<br>
> <a
moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>