[Openswan Users] Connection to checkpoint FT NG: ip alias using netkey

Luca Arzeni l.arzeni at iname.com
Mon Sep 29 05:29:05 EDT 2014


Hi,
(it seems that my previous request was unreadable, so here is a plain text one... I apologize...)
I'm trying to setup a connection form a linux roadwarrior to checkpoint ng Firewall
client environment: debian wheezy 7.6 amd64, openswan 2.6.37-3+deb7u1, kernel 3.2.60-1+deb7u3 x86_64, NETKEY

Topology:

client (dhcp ip 192.168.1.11)
|
|
ADSL GW/NAT(public ip unknown)
|
|
(INTERNET)
|
|
CP FIREWALL (public ip Y.Z.W.T)
|
|
two subnets (192.168.2.0/24 192.168.3.0/24)

The connection works fine using this setup:

# /etc/ipsec.conf - Openswan IPsec configuration file
version 2.0 # conforms to second version of ipsec.conf specification
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey # I set this to avoid warning message at connection startup

conn roadwarrior
left=%defaultroute
leftsubnet=192.168.1.11/32 # client IP, I need to set it because I'm using also a "rightsubnets" list
leftcert=client_crt.pem
leftrsasigkey=%cert
leftid=%fromcert
#
right=Y.Z.W.T
rightsubnets={ 192.168.2.0/24 192.168.3.0/24 }
rightcert=firewall_cert.pem
rightrsasigkey=%cert
rightid=Y.Z.W.T
#
auto=start

PROBLEM: This setup works fine until I use client IP 192.168.1.11, which is registered and well known by checkpoint firewall as a valid client IP address.
BUT when I go home, my client gets a different ip (let's say 192.168.100.100), since at home I'm using a different subnet (to allow connections also to my office).

Now, in my understanding, checkpoint has found a workaround to solve this issue.
Usually, under windows, roadwarrior clients connect to the CP firewalls using a dedicated software made by Checkpoint developers.
This software creates a virtual network interface, assigns to this interface the well known client ip (192.168.1.11) and route all traffic through this interface.
I've tested this software at my home and it works fine.

I would like to mimic this behaviour under linux, so I set an ip alias to my eth0; now my eth0 will have 192.168.100.100 (assigned by DHCP server) AND 192.168.1.11 which I set manually on the interface, BUT I found no working configuration for openswan.


Then I've done the following tests:


1) set leftsubnet using the home network ip, i.e.: leftsubnet=192.168.100.100/32 (%defaultroute will automagically set to 192.168.100.100)
Connection seems to be OK, I can read in the logs the following message:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x20906a71 <0x22c34963 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
*** BUT *** ip route list shows that there is no route to servers

2) then I've add leftsourceip=192.168.1.11
Connection seems to be OK, I can read in the logs the following message:
STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xcd521b9a <0xc6eb8d94 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
ip route list shows that now the routes are available:
192.168.3.0/24 dev eth0 scope link src 192.168.1.11
*** BUT *** if I try to connect to a server, I receive the message:
>ssh 192.168.3.10
>ssh: connect to host 192.168.3.10 port 22: No route to host

3) use leftsubnet=192.168.1.11/32 (that is the office subnet)
Connection cannot be established, in the logs I can see:
"roadwarrior/0x6" #1: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
"roadwarrior/0x6" #1: received and ignored informational message
This is NOT working at all.

4) set leftsubnets={ 192.168.1.11/32 192.168.100.100/32}
at start I receive, after the usual message: "ipsec_setup: multiple ip addresses, using 192.168.100.100 on eth0"
the followin (more promising!) message: "ipsec_setup: defaulting leftsubnet to 192.168.1.11"
*** BUT *** in the logs, I see:
"roadwarrior/2x6" #1: ignoring informational payload, type INVALID_ID_INFORMATION msgid=00000000
"roadwarrior/2x6" #1: received and ignored informational message
"roadwarrior/1x2" #3: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
"roadwarrior/1x2" #3: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0xfcb61ef1 <0x228bfdf9 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=none DPD=none}
so it looks like that really only the first subnet is working, and still I have "no route to host message" when I try to connect.

=== CONCLUSION ===

I guess that the 2 configuration is the right one, but I'm missing something...
Can someone help me?

Thanks,
larzeni


More information about the Users mailing list