[Openswan Users] Connection to checkpoint FT NG: ip alias using netkey

Nick Howitt nick at howitts.co.uk
Mon Sep 29 08:12:09 EDT 2014 

Does it work if you use your initial configuration then, in your client 
at home, add a firewall rule:

iptables -t nat -I POSTROUTING -d 192.168.2.0/23 -j SNAT --to 
192.168.1.11

You can get more selective with the firewall rule if you need to.

Nick


On 2014-09-29 10:29, Luca Arzeni wrote:
> Hi,
> (it seems that my previous request was unreadable, so here is a plain
> text one... I apologize...)
> I'm trying to setup a connection form a linux roadwarrior to
> checkpoint ng Firewall
> client environment: debian wheezy 7.6 amd64, openswan 2.6.37-3+deb7u1,
> kernel 3.2.60-1+deb7u3 x86_64, NETKEY
> 
> Topology:
> 
> client (dhcp ip 192.168.1.11)
> |
> |
> ADSL GW/NAT(public ip unknown)
> |
> |
> (INTERNET)
> |
> |
> CP FIREWALL (public ip Y.Z.W.T)
> |
> |
> two subnets (192.168.2.0/24 192.168.3.0/24)
> 
> The connection works fine using this setup:
> 
> # /etc/ipsec.conf - Openswan IPsec configuration file
> version 2.0 # conforms to second version of ipsec.conf specification
> config setup
> dumpdir=/var/run/pluto/
> nat_traversal=yes
> virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
> oe=off
> protostack=netkey # I set this to avoid warning message at connection 
> startup
> 
> conn roadwarrior
> left=%defaultroute
> leftsubnet=192.168.1.11/32 # client IP, I need to set it because I'm
> using also a "rightsubnets" list
> leftcert=client_crt.pem
> leftrsasigkey=%cert
> leftid=%fromcert
> #
> right=Y.Z.W.T
> rightsubnets={ 192.168.2.0/24 192.168.3.0/24 }
> rightcert=firewall_cert.pem
> rightrsasigkey=%cert
> rightid=Y.Z.W.T
> #
> auto=start
> 
> PROBLEM: This setup works fine until I use client IP 192.168.1.11,
> which is registered and well known by checkpoint firewall as a valid
> client IP address.
> BUT when I go home, my client gets a different ip (let's say
> 192.168.100.100), since at home I'm using a different subnet (to allow
> connections also to my office).
> 
> Now, in my understanding, checkpoint has found a workaround to solve 
> this issue.
> Usually, under windows, roadwarrior clients connect to the CP
> firewalls using a dedicated software made by Checkpoint developers.
> This software creates a virtual network interface, assigns to this
> interface the well known client ip (192.168.1.11) and route all
> traffic through this interface.
> I've tested this software at my home and it works fine.
> 
> I would like to mimic this behaviour under linux, so I set an ip alias
> to my eth0; now my eth0 will have 192.168.100.100 (assigned by DHCP
> server) AND 192.168.1.11 which I set manually on the interface, BUT I
> found no working configuration for openswan.
> 
> 
> Then I've done the following tests:
> 
> 
> 1) set leftsubnet using the home network ip, i.e.:
> leftsubnet=192.168.100.100/32 (%defaultroute will automagically set to
> 192.168.100.100)
> Connection seems to be OK, I can read in the logs the following 
> message:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0x20906a71 <0x22c34963 xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=none}
> *** BUT *** ip route list shows that there is no route to servers
> 
> 2) then I've add leftsourceip=192.168.1.11
> Connection seems to be OK, I can read in the logs the following 
> message:
> STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode
> {ESP=>0xcd521b9a <0xc6eb8d94 xfrm=3DES_0-HMAC_SHA1 NATOA=none
> NATD=none DPD=none}
> ip route list shows that now the routes are available:
> 192.168.3.0/24 dev eth0 scope link src 192.168.1.11
> *** BUT *** if I try to connect to a server, I receive the message:
>> ssh 192.168.3.10
>> ssh: connect to host 192.168.3.10 port 22: No route to host
> 
> 3) use leftsubnet=192.168.1.11/32 (that is the office subnet)
> Connection cannot be established, in the logs I can see:
> "roadwarrior/0x6" #1: ignoring informational payload, type
> INVALID_ID_INFORMATION msgid=00000000
> "roadwarrior/0x6" #1: received and ignored informational message
> This is NOT working at all.
> 
> 4) set leftsubnets={ 192.168.1.11/32 192.168.100.100/32}
> at start I receive, after the usual message: "ipsec_setup: multiple ip
> addresses, using 192.168.100.100 on eth0"
> the followin (more promising!) message: "ipsec_setup: defaulting
> leftsubnet to 192.168.1.11"
> *** BUT *** in the logs, I see:
> "roadwarrior/2x6" #1: ignoring informational payload, type
> INVALID_ID_INFORMATION msgid=00000000
> "roadwarrior/2x6" #1: received and ignored informational message
> "roadwarrior/1x2" #3: transition from state STATE_QUICK_I1 to state
> STATE_QUICK_I2
> "roadwarrior/1x2" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
> tunnel mode {ESP=>0xfcb61ef1 <0x228bfdf9 xfrm=3DES_0-HMAC_SHA1
> NATOA=none NATD=none DPD=none}
> so it looks like that really only the first subnet is working, and
> still I have "no route to host message" when I try to connect.
> 
> === CONCLUSION ===
> 
> I guess that the 2 configuration is the right one, but I'm missing 
> something...
> Can someone help me?
> 
> Thanks,
> larzeni
> _______________________________________________
> Users at lists.openswan.org
> https://lists.openswan.org/mailman/listinfo/users
> Micropayments: https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
> Building and Integrating Virtual Private Networks with Openswan:
> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list