<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
What firewall rules do you have. If your connection is being
established presumably you are allowing incoming UDP:4500 in your
roadwarrior. Do you also have a rule to allow traffic into the
tunnel? There are lots of different variants I've seen but this
generic one should work:<br>
<blockquote>iptables -t nat -I POSTROUTING -m policy --dir out --pol
ipsec -j ACCEPT<br>
</blockquote>
Nick<br>
<br>
<div class="moz-cite-prefix">On 03/10/2014 14:02, Luca Arzeni wrote:<br>
</div>
<blockquote
cite="mid:trinity-3dd89f0b-1c4c-4aaf-b9f7-fb85aed0dcd9-1412341365002@3capp-mailcom-lxa11"
type="cite">
<div style="font-family: Verdana;font-size: 12.0px;">
<div>
<div>Hi Nick,</div>
<div>I've tried but I've got a timeout:</div>
<div>ssh 192.168.3.10<br>
ssh: connect to host 192.168.3.10 port 22: Connection timed
out</div>
<div> </div>
<div>Is it the firewall is discarding my packets?</div>
<div><span style="font-family: Verdana, sans-serif, Arial,
'Trebuchet MS'; font-size: 13px; line-height: 1.6em;">Any
hint?</span></div>
<div> </div>
<div>Thanks,</div>
<div>Luca</div>
<div> </div>
<div>
<div name="quote" style="margin:10px 5px 5px 10px; padding:
10px 0 10px 10px; border-left:2px solid #C3D9E5;
word-wrap: break-word; -webkit-nbsp-mode: space;
-webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Sent:</b> Monday,
September 29, 2014 at 2:12 PM<br>
<b>From:</b> "Nick Howitt" <a class="moz-txt-link-rfc2396E" href="mailto:nick@howitts.co.uk"><nick@howitts.co.uk></a><br>
<b>To:</b> "Luca Arzeni" <a class="moz-txt-link-rfc2396E" href="mailto:l.arzeni@iname.com"><l.arzeni@iname.com></a><br>
<b>Cc:</b> users <a class="moz-txt-link-rfc2396E" href="mailto:users@lists.openswan.org"><users@lists.openswan.org></a><br>
<b>Subject:</b> Re: [Openswan Users] Connection to
checkpoint FT NG: ip alias using netkey</div>
<div name="quoted-content">Does it work if you use your
initial configuration then, in your client<br>
at home, add a firewall rule:<br>
<br>
iptables -t nat -I POSTROUTING -d 192.168.2.0/23 -j SNAT
--to<br>
192.168.1.11<br>
<br>
You can get more selective with the firewall rule if you
need to.<br>
<br>
Nick<br>
<br>
<br>
On 2014-09-29 10:29, Luca Arzeni wrote:<br>
> Hi,<br>
> (it seems that my previous request was unreadable,
so here is a plain<br>
> text one... I apologize...)<br>
> I'm trying to setup a connection form a linux
roadwarrior to<br>
> checkpoint ng Firewall<br>
> client environment: debian wheezy 7.6 amd64,
openswan 2.6.37-3+deb7u1,<br>
> kernel 3.2.60-1+deb7u3 x86_64, NETKEY<br>
><br>
> Topology:<br>
><br>
> client (dhcp ip 192.168.1.11)<br>
> |<br>
> |<br>
> ADSL GW/NAT(public ip unknown)<br>
> |<br>
> |<br>
> (INTERNET)<br>
> |<br>
> |<br>
> CP FIREWALL (public ip Y.Z.W.T)<br>
> |<br>
> |<br>
> two subnets (192.168.2.0/24 192.168.3.0/24)<br>
><br>
> The connection works fine using this setup:<br>
><br>
> # /etc/ipsec.conf - Openswan IPsec configuration
file<br>
> version 2.0 # conforms to second version of
ipsec.conf specification<br>
> config setup<br>
> dumpdir=/var/run/pluto/<br>
> nat_traversal=yes<br>
>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<br>
> oe=off<br>
> protostack=netkey # I set this to avoid warning
message at connection<br>
> startup<br>
><br>
> conn roadwarrior<br>
> left=%defaultroute<br>
> leftsubnet=192.168.1.11/32 # client IP, I need to
set it because I'm<br>
> using also a "rightsubnets" list<br>
> leftcert=client_crt.pem<br>
> leftrsasigkey=%cert<br>
> leftid=%fromcert<br>
> #<br>
> right=Y.Z.W.T<br>
> rightsubnets={ 192.168.2.0/24 192.168.3.0/24 }<br>
> rightcert=firewall_cert.pem<br>
> rightrsasigkey=%cert<br>
> rightid=Y.Z.W.T<br>
> #<br>
> auto=start<br>
><br>
> PROBLEM: This setup works fine until I use client
IP 192.168.1.11,<br>
> which is registered and well known by checkpoint
firewall as a valid<br>
> client IP address.<br>
> BUT when I go home, my client gets a different ip
(let's say<br>
> 192.168.100.100), since at home I'm using a
different subnet (to allow<br>
> connections also to my office).<br>
><br>
> Now, in my understanding, checkpoint has found a
workaround to solve<br>
> this issue.<br>
> Usually, under windows, roadwarrior clients connect
to the CP<br>
> firewalls using a dedicated software made by
Checkpoint developers.<br>
> This software creates a virtual network interface,
assigns to this<br>
> interface the well known client ip (192.168.1.11)
and route all<br>
> traffic through this interface.<br>
> I've tested this software at my home and it works
fine.<br>
><br>
> I would like to mimic this behaviour under linux,
so I set an ip alias<br>
> to my eth0; now my eth0 will have 192.168.100.100
(assigned by DHCP<br>
> server) AND 192.168.1.11 which I set manually on
the interface, BUT I<br>
> found no working configuration for openswan.<br>
><br>
><br>
> Then I've done the following tests:<br>
><br>
><br>
> 1) set leftsubnet using the home network ip, i.e.:<br>
> leftsubnet=192.168.100.100/32 (%defaultroute will
automagically set to<br>
> 192.168.100.100)<br>
> Connection seems to be OK, I can read in the logs
the following<br>
> message:<br>
> STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode<br>
> {ESP=>0x20906a71 <0x22c34963
xfrm=3DES_0-HMAC_SHA1 NATOA=none<br>
> NATD=none DPD=none}<br>
> *** BUT *** ip route list shows that there is no
route to servers<br>
><br>
> 2) then I've add leftsourceip=192.168.1.11<br>
> Connection seems to be OK, I can read in the logs
the following<br>
> message:<br>
> STATE_QUICK_I2: sent QI2, IPsec SA established
tunnel mode<br>
> {ESP=>0xcd521b9a <0xc6eb8d94
xfrm=3DES_0-HMAC_SHA1 NATOA=none<br>
> NATD=none DPD=none}<br>
> ip route list shows that now the routes are
available:<br>
> 192.168.3.0/24 dev eth0 scope link src 192.168.1.11<br>
> *** BUT *** if I try to connect to a server, I
receive the message:<br>
>> ssh 192.168.3.10<br>
>> ssh: connect to host 192.168.3.10 port 22: No
route to host<br>
><br>
> 3) use leftsubnet=192.168.1.11/32 (that is the
office subnet)<br>
> Connection cannot be established, in the logs I can
see:<br>
> "roadwarrior/0x6" #1: ignoring informational
payload, type<br>
> INVALID_ID_INFORMATION msgid=00000000<br>
> "roadwarrior/0x6" #1: received and ignored
informational message<br>
> This is NOT working at all.<br>
><br>
> 4) set leftsubnets={ 192.168.1.11/32
192.168.100.100/32}<br>
> at start I receive, after the usual message:
"ipsec_setup: multiple ip<br>
> addresses, using 192.168.100.100 on eth0"<br>
> the followin (more promising!) message:
"ipsec_setup: defaulting<br>
> leftsubnet to 192.168.1.11"<br>
> *** BUT *** in the logs, I see:<br>
> "roadwarrior/2x6" #1: ignoring informational
payload, type<br>
> INVALID_ID_INFORMATION msgid=00000000<br>
> "roadwarrior/2x6" #1: received and ignored
informational message<br>
> "roadwarrior/1x2" #3: transition from state
STATE_QUICK_I1 to state<br>
> STATE_QUICK_I2<br>
> "roadwarrior/1x2" #3: STATE_QUICK_I2: sent QI2,
IPsec SA established<br>
> tunnel mode {ESP=>0xfcb61ef1 <0x228bfdf9
xfrm=3DES_0-HMAC_SHA1<br>
> NATOA=none NATD=none DPD=none}<br>
> so it looks like that really only the first subnet
is working, and<br>
> still I have "no route to host message" when I try
to connect.<br>
><br>
> === CONCLUSION ===<br>
><br>
> I guess that the 2 configuration is the right one,
but I'm missing<br>
> something...<br>
> Can someone help me?<br>
><br>
> Thanks,<br>
> larzeni<br>
> _______________________________________________<br>
> <a class="moz-txt-link-abbreviated" href="mailto:Users@lists.openswan.org">Users@lists.openswan.org</a><br>
> <a moz-do-not-send="true"
href="https://lists.openswan.org/mailman/listinfo/users"
target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
> Micropayments: <a moz-do-not-send="true"
href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy"
target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
> Building and Integrating Virtual Private Networks
with Openswan:<br>
> <a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>