<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
You need to SNAT traffic from 192.168.100.100 to 192.168.1.11 so my
rule was correct. You don't appear to be using your original
ipsec.conf where leftsubnet was set to 192.168.1.11/32. With your
current set up I doubt that you have an IPsec VPN established. Check
your /var/log/messages for an "IPsec SA established" message to see
if you have a tunnel established.<br>
<br>
<div class="moz-cite-prefix">On 03/10/2014 15:01, Luca Arzeni wrote:<br>
</div>
<blockquote
cite="mid:trinity-acb64260-731f-450a-85d8-1f3d5a676146-1412344898672@3capp-mailcom-lxa03"
type="cite">
<div style="font-family: Verdana;font-size: 12.0px;">
<div>Sorry Nick, but may be I did a mistake:</div>
<div>you wrote:</div>
<div> </div>
<div>iptables -t nat -I POSTROUTING -d 192.168.2.0/23 -j SNAT
--to<br>
192.168.1.11</div>
<div> </div>
<div>That is: place as --to the SNAT the leftsourceip</div>
<div>=> <span style="font-family: Verdana, sans-serif, Arial,
'Trebuchet MS'; font-size: 13px; line-height: 1.6em;">If I
do this I get a: no route to host message!</span></div>
<div> </div>
<div>I've also tested with:</div>
<div>iptables -t nat -I POSTROUTING -d 192.168.2.0/23 -j SNAT
--to<br>
192.168.100.100</div>
<div> </div>
<div>That is: place as --to the SNAT my real ip, <br>
=> and this way I've got a timeout message on ssh.</div>
<div> </div>
<div>Just to recap, my current config is:</div>
<div>==========</div>
<div>config setup<br>
dumpdir=/var/run/pluto/<br>
nat_traversal=yes<br>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<br>
oe=off<br>
protostack=netkey # I set this to avoid warning message at
connection startup</div>
<div>conn roadwarrior<br>
left=%defaultroute<br>
leftsubnet=192.168.100.100/32 # client IP, I need to
set it because I'm using also a "rightsubnets" list<br>
leftcert=my_crt.pem<br>
leftrsasigkey=%cert<br>
leftid=%fromcert<br>
leftsourceip=192.168.1.11<br>
#<br>
right=Y.Z.W.T<br>
rightsubnets={ 192.168.2.0/24 192.168.3.0/24 }<br>
rightcert=fw_crt.pem<br>
rightrsasigkey=%cert<br>
rightid=Y.Z.W.T<br>
#<br>
auto=start</div>
<div>=========</div>
<div>Then: </div>
<div> </div>
<div>With NO rule in nat table</div>
<div>=> I've got a: "No route to host" message</div>
<div> </div>
<div>
<div style="font-family: Verdana; font-size: 12px;
line-height: 19.200000762939453px;">With rule:</div>
<div style="font-family: Verdana; font-size: 12px;
line-height: 19.200000762939453px;"><span
style="font-family: Verdana; font-size: 12px; line-height:
19.200000762939453px;">iptables -t nat -I POSTROUTING -d
192.168.2.0/23 -j SNAT --to</span><br style="font-family:
Verdana; font-size: 12px; line-height:
19.200000762939453px;">
<span style="font-family: Verdana; font-size: 12px;
line-height: 19.200000762939453px;">192.168.1.11</span></div>
<div style="font-family: Verdana; font-size: 12px;
line-height: 19.200000762939453px;">=> I've got: "No
route to host" message</div>
<div style="font-family: Verdana; font-size: 12px;
line-height: 19.200000762939453px;"> </div>
<div style="font-family: Verdana; font-size: 12px;
line-height: 19.200000762939453px;">
<div style="font-family: Verdana; font-size: 12px;
line-height: 19.200000762939453px;">With rule:</div>
<div style="font-family: Verdana; font-size: 12px;
line-height: 19.200000762939453px;">iptables -t nat -I
POSTROUTING -d 192.168.2.0/23 -j SNAT --to<br>
192.168.100.100</div>
<div>=> <span style="font-family: Verdana; font-size:
12px; line-height: 19.200000762939453px;"> I've got: "</span>Connection
timed out" message</div>
<div> </div>
<div>The behaviour is the same if I set <span
style="font-family: Verdana; font-size: 12px;
line-height: 19.200000762939453px;">192.168.1.11
(leftsourceip)</span> as alias to my eth0 and even if I
don't set it.</div>
<div> </div>
<div>I've no other idea!</div>
<div> </div>
<div>I'm wandering if this is a limit of my openswan release
(2.6.37-3+deb7u1) and if, in future revision it could
work...</div>
<div>What do you think?</div>
<div> </div>
<div>Thanks,</div>
<div>Luca</div>
<div> </div>
</div>
<div style="font-family: Verdana; font-size: 12px;
line-height: 19.200000762939453px;"> </div>
</div>
<div>
<div name="quote" style="margin:10px 5px 5px 10px; padding:
10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap:
break-word; -webkit-nbsp-mode: space; -webkit-line-break:
after-white-space;">
<div style="margin:0 0 10px 0;"><b>Sent:</b> Friday, October
03, 2014 at 3:45 PM<br>
<b>From:</b> "Nick Howitt" <a class="moz-txt-link-rfc2396E" href="mailto:nick@howitts.co.uk"><nick@howitts.co.uk></a><br>
<b>To:</b> "Luca Arzeni" <a class="moz-txt-link-rfc2396E" href="mailto:l.arzeni@iname.com"><l.arzeni@iname.com></a><br>
<b>Cc:</b> users <a class="moz-txt-link-rfc2396E" href="mailto:users@lists.openswan.org"><users@lists.openswan.org></a><br>
<b>Subject:</b> Re: [Openswan Users] Connection to
checkpoint FT NG: ip alias using netkey</div>
<div name="quoted-content">
<div style="background-color: rgb(255,255,255);">Try
un-setting the alias. I don't think it is necessary but
I have no more ideas.<br>
Nick<br>
<div class="moz-cite-prefix">On 03/10/2014 14:31, Luca
Arzeni wrote:</div>
<blockquote>
<div style="font-family: Verdana;font-size: 12.0px;">
<div>No way:Connection timed out</div>
<div> </div>
<div>/sbin/iptables -L -n -t nat <br>
Chain PREROUTING (policy ACCEPT)<br>
target prot opt source
destination </div>
<div>Chain INPUT (policy ACCEPT)<br>
target prot opt source
destination </div>
<div>Chain OUTPUT (policy ACCEPT)<br>
target prot opt source
destination </div>
<div>Chain POSTROUTING (policy ACCEPT)<br>
target prot opt source
destination <br>
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
policy match dir out pol ipsec<br>
SNAT all -- 0.0.0.0/0
192.168.3.0/24 to:192.168.1.11</div>
<div> </div>
<div>I'm wandering if the problem is caused by the
ip alias, which is out of my 192.168.100.0/24
network...</div>
<div> </div>
<div>What do toy think?</div>
<div> </div>
<div> </div>
<div>
<div style="margin: 10.0px 5.0px 5.0px
10.0px;padding: 10.0px 0 10.0px
10.0px;border-left: 2.0px solid
rgb(195,217,229);">
<div style="margin: 0 0 10.0px 0;"><b>Sent:</b> Friday,
October 03, 2014 at 3:20 PM<br>
<b>From:</b> "Nick Howitt" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="nick@howitts.co.uk" target="_parent"><nick@howitts.co.uk></a><br>
<b>To:</b> "Luca Arzeni" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="l.arzeni@iname.com" target="_parent"><l.arzeni@iname.com></a><br>
<b>Cc:</b> users <a moz-do-not-send="true"
class="moz-txt-link-rfc2396E"
href="users@lists.openswan.org"
target="_parent"><users@lists.openswan.org></a><br>
<b>Subject:</b> Re: [Openswan Users]
Connection to checkpoint FT NG: ip alias using
netkey</div>
<div>
<div style="background-color:
rgb(255,255,255);">What firewall rules do
you have. If your connection is being
established presumably you are allowing
incoming UDP:4500 in your roadwarrior. Do
you also have a rule to allow traffic into
the tunnel? There are lots of different
variants I've seen but this generic one
should work:
<blockquote>iptables -t nat -I POSTROUTING
-m policy --dir out --pol ipsec -j ACCEPT</blockquote>
Nick<br>
<div class="moz-cite-prefix">On 03/10/2014
14:02, Luca Arzeni wrote:</div>
<blockquote>
<div style="font-family:
Verdana;font-size: 12.0px;">
<div>
<div>Hi Nick,</div>
<div>I've tried but I've got a
timeout:</div>
<div>ssh 192.168.3.10<br>
ssh: connect to host
192.168.3.10 port 22: Connection
timed out</div>
<div> </div>
<div>Is it the firewall is discarding
my packets?</div>
<div><span>Any hint?</span></div>
<div> </div>
<div>Thanks,</div>
<div>Luca</div>
<div> </div>
<div>
<div style="margin: 10.0px 5.0px
5.0px 10.0px;padding: 10.0px 0
10.0px 10.0px;border-left: 2.0px
solid rgb(195,217,229);">
<div style="margin: 0 0 10.0px 0;"><b>Sent:</b> Monday,
September 29, 2014 at 2:12 PM<br>
<b>From:</b> "Nick Howitt" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"><nick@howitts.co.uk></a><br>
<b>To:</b> "Luca Arzeni" <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"><l.arzeni@iname.com></a><br>
<b>Cc:</b> users <a
moz-do-not-send="true"
class="moz-txt-link-rfc2396E"><users@lists.openswan.org></a><br>
<b>Subject:</b> Re: [Openswan
Users] Connection to checkpoint
FT NG: ip alias using netkey</div>
<div>Does it work if you use your
initial configuration then, in
your client<br>
at home, add a firewall rule:<br>
<br>
iptables -t nat -I POSTROUTING
-d 192.168.2.0/23 -j SNAT --to<br>
192.168.1.11<br>
<br>
You can get more selective with
the firewall rule if you need
to.<br>
<br>
Nick<br>
<br>
<br>
On 2014-09-29 10:29, Luca Arzeni
wrote:<br>
> Hi,<br>
> (it seems that my previous
request was unreadable, so here
is a plain<br>
> text one... I apologize...)<br>
> I'm trying to setup a
connection form a linux
roadwarrior to<br>
> checkpoint ng Firewall<br>
> client environment: debian
wheezy 7.6 amd64, openswan
2.6.37-3+deb7u1,<br>
> kernel 3.2.60-1+deb7u3
x86_64, NETKEY<br>
><br>
> Topology:<br>
><br>
> client (dhcp ip
192.168.1.11)<br>
> |<br>
> |<br>
> ADSL GW/NAT(public ip
unknown)<br>
> |<br>
> |<br>
> (INTERNET)<br>
> |<br>
> |<br>
> CP FIREWALL (public ip
Y.Z.W.T)<br>
> |<br>
> |<br>
> two subnets (192.168.2.0/24
192.168.3.0/24)<br>
><br>
> The connection works fine
using this setup:<br>
><br>
> # /etc/ipsec.conf -
Openswan IPsec configuration
file<br>
> version 2.0 # conforms to
second version of ipsec.conf
specification<br>
> config setup<br>
> dumpdir=/var/run/pluto/<br>
> nat_traversal=yes<br>
>
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10<br>
> oe=off<br>
> protostack=netkey # I set
this to avoid warning message at
connection<br>
> startup<br>
><br>
> conn roadwarrior<br>
> left=%defaultroute<br>
> leftsubnet=192.168.1.11/32
# client IP, I need to set it
because I'm<br>
> using also a "rightsubnets"
list<br>
> leftcert=client_crt.pem<br>
> leftrsasigkey=%cert<br>
> leftid=%fromcert<br>
> #<br>
> right=Y.Z.W.T<br>
> rightsubnets={
192.168.2.0/24 192.168.3.0/24 }<br>
> rightcert=firewall_cert.pem<br>
> rightrsasigkey=%cert<br>
> rightid=Y.Z.W.T<br>
> #<br>
> auto=start<br>
><br>
> PROBLEM: This setup works
fine until I use client IP
192.168.1.11,<br>
> which is registered and
well known by checkpoint
firewall as a valid<br>
> client IP address.<br>
> BUT when I go home, my
client gets a different ip
(let's say<br>
> 192.168.100.100), since at
home I'm using a different
subnet (to allow<br>
> connections also to my
office).<br>
><br>
> Now, in my understanding,
checkpoint has found a
workaround to solve<br>
> this issue.<br>
> Usually, under windows,
roadwarrior clients connect to
the CP<br>
> firewalls using a dedicated
software made by Checkpoint
developers.<br>
> This software creates a
virtual network interface,
assigns to this<br>
> interface the well known
client ip (192.168.1.11) and
route all<br>
> traffic through this
interface.<br>
> I've tested this software
at my home and it works fine.<br>
><br>
> I would like to mimic this
behaviour under linux, so I set
an ip alias<br>
> to my eth0; now my eth0
will have 192.168.100.100
(assigned by DHCP<br>
> server) AND 192.168.1.11
which I set manually on the
interface, BUT I<br>
> found no working
configuration for openswan.<br>
><br>
><br>
> Then I've done the
following tests:<br>
><br>
><br>
> 1) set leftsubnet using the
home network ip, i.e.:<br>
>
leftsubnet=192.168.100.100/32
(%defaultroute will
automagically set to<br>
> 192.168.100.100)<br>
> Connection seems to be OK,
I can read in the logs the
following<br>
> message:<br>
> STATE_QUICK_I2: sent QI2,
IPsec SA established tunnel mode<br>
> {ESP=>0x20906a71
<0x22c34963
xfrm=3DES_0-HMAC_SHA1 NATOA=none<br>
> NATD=none DPD=none}<br>
> *** BUT *** ip route list
shows that there is no route to
servers<br>
><br>
> 2) then I've add
leftsourceip=192.168.1.11<br>
> Connection seems to be OK,
I can read in the logs the
following<br>
> message:<br>
> STATE_QUICK_I2: sent QI2,
IPsec SA established tunnel mode<br>
> {ESP=>0xcd521b9a
<0xc6eb8d94
xfrm=3DES_0-HMAC_SHA1 NATOA=none<br>
> NATD=none DPD=none}<br>
> ip route list shows that
now the routes are available:<br>
> 192.168.3.0/24 dev eth0
scope link src 192.168.1.11<br>
> *** BUT *** if I try to
connect to a server, I receive
the message:<br>
>> ssh 192.168.3.10<br>
>> ssh: connect to host
192.168.3.10 port 22: No route
to host<br>
><br>
> 3) use
leftsubnet=192.168.1.11/32 (that
is the office subnet)<br>
> Connection cannot be
established, in the logs I can
see:<br>
> "roadwarrior/0x6" #1:
ignoring informational payload,
type<br>
> INVALID_ID_INFORMATION
msgid=00000000<br>
> "roadwarrior/0x6" #1:
received and ignored
informational message<br>
> This is NOT working at all.<br>
><br>
> 4) set leftsubnets={
192.168.1.11/32
192.168.100.100/32}<br>
> at start I receive, after
the usual message: "ipsec_setup:
multiple ip<br>
> addresses, using
192.168.100.100 on eth0"<br>
> the followin (more
promising!) message:
"ipsec_setup: defaulting<br>
> leftsubnet to 192.168.1.11"<br>
> *** BUT *** in the logs, I
see:<br>
> "roadwarrior/2x6" #1:
ignoring informational payload,
type<br>
> INVALID_ID_INFORMATION
msgid=00000000<br>
> "roadwarrior/2x6" #1:
received and ignored
informational message<br>
> "roadwarrior/1x2" #3:
transition from state
STATE_QUICK_I1 to state<br>
> STATE_QUICK_I2<br>
> "roadwarrior/1x2" #3:
STATE_QUICK_I2: sent QI2, IPsec
SA established<br>
> tunnel mode
{ESP=>0xfcb61ef1
<0x228bfdf9
xfrm=3DES_0-HMAC_SHA1<br>
> NATOA=none NATD=none
DPD=none}<br>
> so it looks like that
really only the first subnet is
working, and<br>
> still I have "no route to
host message" when I try to
connect.<br>
><br>
> === CONCLUSION ===<br>
><br>
> I guess that the 2
configuration is the right one,
but I'm missing<br>
> something...<br>
> Can someone help me?<br>
><br>
> Thanks,<br>
> larzeni<br>
>
_______________________________________________<br>
> <a moz-do-not-send="true"
class="moz-txt-link-abbreviated">Users@lists.openswan.org</a><br>
> <a moz-do-not-send="true"
href="https://lists.openswan.org/mailman/listinfo/users" target="_blank">https://lists.openswan.org/mailman/listinfo/users</a><br>
> Micropayments: <a
moz-do-not-send="true"
href="https://flattr.com/thing/38387/IPsec-for-Linux-made-easy"
target="_blank">https://flattr.com/thing/38387/IPsec-for-Linux-made-easy</a><br>
> Building and Integrating
Virtual Private Networks with
Openswan:<br>
> <a moz-do-not-send="true"
href="http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155"
target="_blank">http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155</a></div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</div>
</div>
</blockquote>
<br>
</body>
</html>