<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:11.0pt;
        font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0cm;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.EmailStyle17
        {mso-style-type:personal-compose;
        font-family:"Calibri","sans-serif";
        color:windowtext;}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
.MsoChpDefault
        {mso-style-type:export-only;}
@page Section1
        {size:612.0pt 792.0pt;
        margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.Section1
        {page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="2050" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=EN-CA link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal>Hello all,<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I’m knew to the ipsec world and needing some guidance
on configuration. I had tried raccoon, but it just wasn’t working, then I
found openswan and it seems to be more feature rich and customizable.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Here’s what I need to do:<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I need to have my redhat enterprise linux machine attempt to
use ipsec when connecting via the SNMP protocol to windows servers. I can’t
use a tunnel (vpn) setup as the redhat box is a management server that will be
connecting to thousands of servers on our various (numerous) networks, so we
will need transport mode and set to specific ports to protect. For our ISO and
SAS security requirements, the data collected over snmp cannot flow clear text
and must be encrypted. Microsoft doesn’t allow for any
authentication/encryption with their snmp v2c implementation (bastards!), so I
need to use ipsec to secure the data.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>So, to review, I need to configure the redhat server
openswan to attempt ipsec when that server connects with the snmp protocol
outbound. If a ipsec connection cannot be established, it should fall back to
non-ipsec mode (for our linux servers that run snmp v3 with built in
authentication/encryption and don’t require ipsec). I do not need
assistance with the windows side of the ipsec setup, that’s been easily
setup already, and I can refine the authentication hashes and encryption
algorithms once I get the main config figured out.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>I should note that during my trials with raccoon, I was able
to get the redhat server to use ipsec with a windows box when I defined the
specific ip and port for the windows host. If I tried to use a policy for a
subnet or any remote host, it fails in phase 2. Furthermore, we plan to use
x509 certs for ipsec, and raccoon doesn’t properly use CRL which we will
require.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<p class=MsoNormal>Thanks to anyone for any tips on how to get this going. I’ve
been trying various things with openswan and it’s just not kicking in.<o:p></o:p></p>
<p class=MsoNormal><o:p> </o:p></p>
<table class=MsoNormalTable border=0 cellspacing=0 cellpadding=0
style='border-collapse:collapse'>
<tr>
<td width=216 valign=top style='width:162.0pt;padding:0cm 5.4pt 0cm 5.4pt'>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>Ryan Bohn</span></b><b><span style='font-size:10.0pt;font-family:
"Arial","sans-serif";color:black'><o:p></o:p></span></b></p>
<p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif";
color:black'>Corporate Systems Engineer<b><o:p></o:p></b></span></p>
<p class=MsoNormal><b><span style='font-size:9.0pt;font-family:"Arial","sans-serif";
color:black'><o:p> </o:p></span></b></p>
<p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";
color:black'>Summit with Tenzing<o:p></o:p></span></b></p>
<p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif";
color:black'><o:p> </o:p></span></p>
<p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif";
color:black'>Phone: +1 877 767 5577 ext 203<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif";
color:black'>Mobile: +1 250 215 2299<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif";
color:black'>Fax: +1 416 981 3007<o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif";
color:black'>Web: </span><span style='font-size:9.0pt;font-family:"Arial","sans-serif";
color:#1F497D'><a href="http://www.tenzing.com/"><span style='color:blue'>www.tenzing.com</span></a></span><span
style='font-size:9.0pt;font-family:"Arial","sans-serif";color:black'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif"'><o:p> </o:p></span></p>
</td>
<td width=272 valign=top style='width:203.9pt;padding:0cm 5.4pt 0cm 5.4pt'>
<p class=MsoNormal><span style='font-size:9.0pt;font-family:"Arial","sans-serif"'><img
border=0 width=213 height=107 id="Picture_x0020_30"
src="cid:image001.jpg@01CA2730.003E5940"
alt=tenzing-managed-it-services2.gif></span><span style='font-size:9.0pt;
font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
</td>
</tr>
</table>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>----------------------------------------</span><span
style='font-size:8.0pt;font-family:"Arial","sans-serif"'><o:p></o:p></span></p>
<p class=MsoNormal><span style='font-size:8.0pt;font-family:"Arial","sans-serif"'>Confidentiality
Warning: This message and any attachments are intended only for the use of the
intended recipient(s), contain confidential proprietary business information,
and may be privileged. If you are not the intended recipient, you are hereby
notified that any review, retransmission, conversion to hard copy, copying,
circulation or other use of this message and any attachments is strictly
prohibited. If you are not the intended recipient, please notify the sender
immediately by return e-mail, and delete this message and any attachments from
your system. Thank-you!<o:p></o:p></span></p>
<p class=MsoNormal><o:p> </o:p></p>
</div>
</body>
</html>