<html>
  <head>
    <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    Try un-setting the alias. I don't think it is necessary but I have
    no more ideas.<br>
    Nick<br>
    <br>
    <div class="moz-cite-prefix">On 03/10/2014 14:31, Luca Arzeni wrote:<br>
    </div>
    <blockquote
cite="mid:trinity-6d987fff-47dc-44bd-b9f5-ebd8bfa652b5-1412343073902@3capp-mailcom-lxa11"
      type="cite">
      <div style="font-family: Verdana;font-size: 12.0px;">
        <div>No way:Connection timed out</div>
        <div> </div>
        <div>/sbin/iptables -L -n -t nat <br>
          Chain PREROUTING (policy ACCEPT)<br>
          target     prot opt source               destination         </div>
        <div>Chain INPUT (policy ACCEPT)<br>
          target     prot opt source               destination         </div>
        <div>Chain OUTPUT (policy ACCEPT)<br>
          target     prot opt source               destination         </div>
        <div>Chain POSTROUTING (policy ACCEPT)<br>
          target     prot opt source               destination         <br>
          ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
           policy match dir out pol ipsec<br>
          SNAT       all  --  0.0.0.0/0            192.168.3.0/24    
           to:192.168.1.11</div>
        <div> </div>
        <div>I'm wandering if the problem is caused by the ip alias,
          which is out of my 192.168.100.0/24 network...</div>
        <div> </div>
        <div>What do toy think?</div>
        <div> </div>
        <div> </div>
        <div> 
          <div name="quote" style="margin:10px 5px 5px 10px; padding:
            10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap:
            break-word; -webkit-nbsp-mode: space; -webkit-line-break:
            after-white-space;">
            <div style="margin:0 0 10px 0;"><b>Sent:</b> Friday, October
              03, 2014 at 3:20 PM<br>
              <b>From:</b> "Nick Howitt" <a class="moz-txt-link-rfc2396E" href="mailto:nick@howitts.co.uk"><nick@howitts.co.uk></a><br>
              <b>To:</b> "Luca Arzeni" <a class="moz-txt-link-rfc2396E" href="mailto:l.arzeni@iname.com"><l.arzeni@iname.com></a><br>
              <b>Cc:</b> users <a class="moz-txt-link-rfc2396E" href="mailto:users@lists.openswan.org"><users@lists.openswan.org></a><br>
              <b>Subject:</b> Re: [Openswan Users] Connection to
              checkpoint FT NG: ip alias using netkey</div>
            <div name="quoted-content">
              <div style="background-color: rgb(255,255,255);">What
                firewall rules do you have. If your connection is being
                established presumably you are allowing incoming
                UDP:4500 in your roadwarrior. Do you also have a rule to
                allow traffic into the tunnel? There are lots of
                different variants I've seen but this generic one should
                work:
                <blockquote>iptables -t nat -I POSTROUTING -m policy
                  --dir out --pol ipsec -j ACCEPT</blockquote>
                Nick<br>
                 
                <div class="moz-cite-prefix">On 03/10/2014 14:02, Luca
                  Arzeni wrote:</div>
                <blockquote>
                  <div style="font-family: Verdana;font-size: 12.0px;">
                    <div>
                      <div>Hi Nick,</div>
                      <div>I've tried but I've got a timeout:</div>
                      <div>ssh 192.168.3.10<br>
                        ssh: connect to host 192.168.3.10 port 22:
                        Connection timed out</div>
                      <div> </div>
                      <div>Is it the firewall is discarding my packets?</div>
                      <div><span style="font-family: Verdana ,
                          sans-serif , Arial , "Trebuchet
                          MS";font-size: 13.0px;line-height:
                          1.6em;">Any hint?</span></div>
                      <div> </div>
                      <div>Thanks,</div>
                      <div>Luca</div>
                      <div> </div>
                      <div> 
                        <div style="margin: 10.0px 5.0px 5.0px
                          10.0px;padding: 10.0px 0 10.0px
                          10.0px;border-left: 2.0px solid
                          rgb(195,217,229);">
                          <div style="margin: 0 0 10.0px 0;"><b>Sent:</b> Monday,
                            September 29, 2014 at 2:12 PM<br>
                            <b>From:</b> "Nick Howitt" <a
                              moz-do-not-send="true"
                              class="moz-txt-link-rfc2396E"
                              href="nick@howitts.co.uk" target="_parent"><nick@howitts.co.uk></a><br>
                            <b>To:</b> "Luca Arzeni" <a
                              moz-do-not-send="true"
                              class="moz-txt-link-rfc2396E"
                              href="l.arzeni@iname.com" target="_parent"><l.arzeni@iname.com></a><br>
                            <b>Cc:</b> users <a moz-do-not-send="true"
                              class="moz-txt-link-rfc2396E"
                              href="users@lists.openswan.org"
                              target="_parent"><users@lists.openswan.org></a><br>
                            <b>Subject:</b> Re: [Openswan Users]
                            Connection to checkpoint FT NG: ip alias
                            using netkey</div>
                          <div>Does it work if you use your initial
                            configuration then, in your client<br>
                            at home, add a firewall rule:<br>
                            <br>
                            iptables -t nat -I POSTROUTING -d
                            192.168.2.0/23 -j SNAT --to<br>
                            192.168.1.11<br>
                            <br>
                            You can get more selective with the firewall
                            rule if you need to.<br>
                            <br>
                            Nick<br>
                            <br>
                            <br>
                            On 2014-09-29 10:29, Luca Arzeni wrote:<br>
                            > Hi,<br>
                            > (it seems that my previous request was
                            unreadable, so here is a plain<br>
                            > text one... I apologize...)<br>
                            > I'm trying to setup a connection form a
                            linux roadwarrior to<br>
                            > checkpoint ng Firewall<br>
                            > client environment: debian wheezy 7.6
                            amd64, openswan 2.6.37-3+deb7u1,<br>
                            > kernel 3.2.60-1+deb7u3 x86_64, NETKEY<br>
                            ><br>
                            > Topology:<br>
                            ><br>
                            > client (dhcp ip 192.168.1.11)<br>
                            > |<br>
                            > |<br>
                            > ADSL GW/NAT(public ip unknown)<br>
                            > |<br>
                            > |<br>
                            > (INTERNET)<br>
                            > |<br>
                            > |<br>
                            > CP FIREWALL (public ip Y.Z.W.T)<br>
                            > |<br>
                            > |<br>
                            > two subnets (192.168.2.0/24
                            192.168.3.0/24)<br>
                            ><br>
                            > The connection works fine using this
                            setup:<br>
                            ><br>
                            > # /etc/ipsec.conf - Openswan IPsec
                            configuration file<br>
                            > version 2.0 # conforms to second
                            version of ipsec.conf specification<br>
                            > config setup<br>
                            > dumpdir=/var/run/pluto/<br>
                            > nat_traversal=yes<br>
                            >
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<br>
                            > oe=off<br>
                            > protostack=netkey # I set this to avoid
                            warning message at connection<br>
                            > startup<br>
                            ><br>
                            > conn roadwarrior<br>
                            > left=%defaultroute<br>
                            > leftsubnet=192.168.1.11/32 # client IP,
                            I need to set it because I'm<br>
                            > using also a "rightsubnets" list<br>
                            > leftcert=client_crt.pem<br>
                            > leftrsasigkey=%cert<br>
                            > leftid=%fromcert<br>
                            > #<br>
                            > right=Y.Z.W.T<br>
                            > rightsubnets={ 192.168.2.0/24
                            192.168.3.0/24 }<br>
                            > rightcert=firewall_cert.pem<br>
                            > rightrsasigkey=%cert<br>
                            > rightid=Y.Z.W.T<br>
                            > #<br>
                            > auto=start<br>
                            ><br>
                            > PROBLEM: This setup works fine until I
                            use client IP 192.168.1.11,<br>
                            > which is registered and well known by
                            checkpoint firewall as a valid<br>
                            > client IP address.<br>
                            > BUT when I go home, my client gets a
                            different ip (let's say<br>
                            > 192.168.100.100), since at home I'm
                            using a different subnet (to allow<br>
                            > connections also to my office).<br>
                            ><br>
                            > Now, in my understanding, checkpoint
                            has found a workaround to solve<br>
                            > this issue.<br>
                            > Usually, under windows, roadwarrior
                            clients connect to the CP<br>
                            > firewalls using a dedicated software
                            made by Checkpoint developers.<br>
                            > This software creates a virtual network
                            interface, assigns to this<br>
                            > interface the well known client ip
                            (192.168.1.11) and route all<br>
                            > traffic through this interface.<br>
                            > I've tested this software at my home
                            and it works fine.<br>
                            ><br>
                            > I would like to mimic this behaviour
                            under linux, so I set an ip alias<br>
                            > to my eth0; now my eth0 will have
                            192.168.100.100 (assigned by DHCP<br>
                            > server) AND 192.168.1.11 which I set
                            manually on the interface, BUT I<br>
                            > found no working configuration for
                            openswan.<br>
                            ><br>
                            ><br>
                            > Then I've done the following tests:<br>
                            ><br>
                            ><br>
                            > 1) set leftsubnet using the home
                            network ip, i.e.:<br>
                            > leftsubnet=192.168.100.100/32
                            (%defaultroute will automagically set to<br>
                            > 192.168.100.100)<br>
                            > Connection seems to be OK, I can read
                            in the logs the following<br>
                            > message:<br>
                            > STATE_QUICK_I2: sent QI2, IPsec SA
                            established tunnel mode<br>
                            > {ESP=>0x20906a71 <0x22c34963
                            xfrm=3DES_0-HMAC_SHA1 NATOA=none<br>
                            > NATD=none DPD=none}<br>
                            > *** BUT *** ip route list shows that
                            there is no route to servers<br>
                            ><br>
                            > 2) then I've add
                            leftsourceip=192.168.1.11<br>
                            > Connection seems to be OK, I can read
                            in the logs the following<br>
                            > message:<br>
                            > STATE_QUICK_I2: sent QI2, IPsec SA
                            established tunnel mode<br>
                            > {ESP=>0xcd521b9a <0xc6eb8d94
                            xfrm=3DES_0-HMAC_SHA1 NATOA=none<br>
                            > NATD=none DPD=none}<br>
                            > ip route list shows that now the routes
                            are available:<br>
                            > 192.168.3.0/24 dev eth0 scope link src
                            192.168.1.11<br>
                            > *** BUT *** if I try to connect to a
                            server, I receive the message:<br>
                            >> ssh 192.168.3.10<br>
                            >> ssh: connect to host 192.168.3.10
                            port 22: No route to host<br>
                            ><br>
                            > 3) use leftsubnet=192.168.1.11/32 (that
                            is the office subnet)<br>
                            > Connection cannot be established, in
                            the logs I can see:<br>
                            > "roadwarrior/0x6" #1: ignoring
                            informational payload, type<br>
                            > INVALID_ID_INFORMATION msgid=00000000<br>
                            > "roadwarrior/0x6" #1: received and
                            ignored informational message<br>
                            > This is NOT working at all.<br>
                            ><br>
                            > 4) set leftsubnets={ 192.168.1.11/32
                            192.168.100.100/32}<br>
                            > at start I receive, after the usual
                            message: "ipsec_setup: multiple ip<br>
                            > addresses, using 192.168.100.100 on
                            eth0"<br>
                            > the followin (more promising!) message:
                            "ipsec_setup: defaulting<br>
                            > leftsubnet to 192.168.1.11"<br>
                            > *** BUT *** in the logs, I see:<br>
                            > "roadwarrior/2x6" #1: ignoring
                            informational payload, type<br>
                            > INVALID_ID_INFORMATION msgid=00000000<br>
                            > "roadwarrior/2x6" #1: received and
                            ignored informational message<br>
                            > "roadwarrior/1x2" #3: transition from
                            state STATE_QUICK_I1 to state<br>
                            > STATE_QUICK_I2<br>
                            > "roadwarrior/1x2" #3: STATE_QUICK_I2:
                            sent QI2, IPsec SA established<br>
                            > tunnel mode {ESP=>0xfcb61ef1
                            <0x228bfdf9 xfrm=3DES_0-HMAC_SHA1<br>
                            > NATOA=none NATD=none DPD=none}<br>
                            > so it looks like that really only the
                            first subnet is working, and<br>
                            > still I have "no route to host message"
                            when I try to connect.<br>
                            ><br>
                            > === CONCLUSION ===<br>
                            ><br>
                            > I guess that the 2 configuration is the
                            right one, but I'm missing<br>
                            > something...<br>
                            > Can someone help me?<br>
                            ><br>
                            > Thanks,<br>
                            > larzeni<br>
                            >
                            _______________________________________________<br>
                            > <a moz-do-not-send="true"
                              class="moz-txt-link-abbreviated"
                              href="Users@lists.openswan.org"
                              target="_parent">Users@lists.openswan.org</a><br>
                            > <a moz-do-not-send="true"
                              href="https://lists.openswan.org/mailman/listinfo/users"
                              target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
                            > Micropayments: <a
                              moz-do-not-send="true"
                              href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy"
                              target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
                            > Building and Integrating Virtual
                            Private Networks with Openswan:<br>
                            > <a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
                              target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></div>
                        </div>
                      </div>
                    </div>
                  </div>
                </blockquote>
              </div>
            </div>
          </div>
        </div>
      </div>
    </blockquote>
    <br>
  </body>
</html>