<p>Thanks Daniel,</p>
<p>Basically what I was wondering but well worded, thanks.</p>
<p>Sent from my Galaxy Tab</p>
<div class="gmail_quote">On Jul 31, 2012 1:59 PM, "Daniel Cave" <<a href="mailto:dan.cave@me.com">dan.cave@me.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div>Hi Igor, Muhammad,<br><br>The output from Igor's netstat shows that Pluto is listening on port 3082, and at the same time receiving SYN packets from localhost on ports 44259 upwards.. (quite why i'm not sure) This explains the additional processes spawned from the main pluto process.<br>
<br><strong>My</strong> own Openswan ipsec config on my Centos5.x box shows Pluto listening on port 4500 (which is default) along with port 500 for IKE/phase 1 auth<br><br>[root@fcs01 ~]# netstat -npa|grep plu<br>udp 0 0 <a href="http://127.0.0.1:4500" target="_blank">127.0.0.1:4500</a> 0.0.0.0:* 3806/pluto<br>
udp 0 0 <a href="http://10.23.50.68:4500" target="_blank">10.23.50.68:4500</a> 0.0.0.0:* 3806/pluto<br>udp 0 0 <a href="http://10.49.73.1:4500" target="_blank">10.49.73.1:4500</a> 0.0.0.0:* 3806/pluto<br>
udp 0 0 <a href="http://127.0.0.1:500" target="_blank">127.0.0.1:500</a> 0.0.0.0:* 3806/pluto<br>udp 0 0 <a href="http://10.23.50.68:500" target="_blank">10.23.50.68:500</a> 0.0.0.0:* 3806/pluto<br>
udp 0 0 <a href="http://10.49.73.1:500" target="_blank">10.49.73.1:500</a> 0.0.0.0:* 3806/pluto<br>udp 0 0 ::1:500 :::* 3806/pluto<br>
<br>Igor, I would hazard a guess that someone has edited your config (/etc/ipsec.d/ipsec.conf) <br><br>Are doing port forwarding at your boundary router for IPsec connections and doing NAT by forward packets to your ipsec device/linux host - which is listening on ?<br>
<br><br><div><blockquote type="cite"><div><div class="gmail_quote">On Jul 31, 2012 12:54 AM, "Igor Lasic" <<a href="mailto:ilasic@yahoo.com" target="_blank">ilasic@yahoo.com</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><div>Hello Muhammad, thanks for responding.<br> <br> I am seeing TCP port 3082 opened as in below. We have also tried with port 3081 and got the same result where pluto took it.<br> </div></div></blockquote></div></div>
</blockquote><span> </span><br>This part is most interesting.....you have a _lot_ of connections coming from localhost to localhost:3082 - since there are sys_received, close_wait and fin_wait packets, it implies that either Apache/httpd is configured to talk to Ipsecd or one of your config's is messed up badly.<br>
<br>Time to get tcpdump and wireshark out and capture your traffic - first I would check network configs and stop ipsec and see what your apps are doing.<br><br><blockquote type="cite"><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><div><br> Unfortunately we cannot guarantee the order in which services will start and cannot use other means such as SE security.<br> <br> netstat -nap | grep 3082<br> <strong>tcp 0 0 <a href="http://0.0.0.0:3082" target="_blank">0.0.0.0:3082</a> 0.0.0.0:* LISTEN <span style="text-decoration:underline">7450</span>/sh</strong><br>
tcp 0 0 <a href="http://127.0.0.1:3082" target="_blank">127.0.0.1:3082</a> <a href="http://127.0.0.1:44259" target="_blank">127.0.0.1:44259</a> SYN_RECV -<br> tcp 0 0 <a href="http://127.0.0.1:3082" target="_blank">127.0.0.1:3082</a> <a href="http://127.0.0.1:44261" target="_blank">127.0.0.1:44261</a> SYN_RECV -<br>
tcp 0 0 <a href="http://127.0.0.1:3082" target="_blank">127.0.0.1:3082</a> <a href="http://127.0.0.1:45281" target="_blank">127.0.0.1:45281</a> SYN_RECV -<br> tcp 349 0 <a href="http://127.0.0.1:3082" target="_blank">127.0.0.1:3082</a> <a href="http://127.0.0.1:49980" target="_blank">127.0.0.1:49980</a> CLOSE_WAIT -<br>
tcp 345 0 <a href="http://127.0.0.1:3082" target="_blank">127.0.0.1:3082</a> <a href="http://127.0.0.1:34400" target="_blank">127.0.0.1:34400</a> CLOSE_WAIT -<br> tcp 343 0 <a href="http://127.0.0.1:3082" target="_blank">127.0.0.1:3082</a> <a href="http://127.0.0.1:49530" target="_blank">127.0.0.1:49530</a> CLOSE_WAIT -<br>
tcp 0 345 <a href="http://127.0.0.1:44259" target="_blank">127.0.0.1:44259</a> <a href="http://127.0.0.1:3082" target="_blank">127.0.0.1:3082</a> FIN_WAIT1 -<br> tcp 0 329 <a href="http://127.0.0.1:44261" target="_blank">127.0.0.1:44261</a> <a href="http://127.0.0.1:3082" target="_blank">127.0.0.1:3082</a> FIN_WAIT1 -<br>
tcp 0 329 <a href="http://127.0.0.1:45281" target="_blank">127.0.0.1:45281</a> <a href="http://127.0.0.1:3082" target="_blank">127.0.0.1:3082</a> ESTABLISHED 25856/httpd<br> <br> root@lang-armagent-2a ~]# ps -ef | grep 7450<br>
root <span style="text-decoration:underline"><strong>7450 </strong></span>1 0 Jul23 ? 00:00:00<span style="text-decoration:underline"><strong> /bin/sh /usr/lib64/ipsec/_plutorun </strong></span>--debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private %v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12</a> --listen --crlcheckinterval 0 --ocspuri --nhelpers --secctx_attr_value --dump --opts --stderrlog --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid<br>
root 7452 7450 0 Jul23 ? 00:00:00 /bin/sh /usr/lib64/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private %v4:<a href="http://10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12" target="_blank">10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12</a> --listen --crlcheckinterval 0 --ocspuri --nhelpers --secctx_attr_value --dump --opts --stderrlog --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid<br>
root 7455 7450 0 Jul23 ? 00:00:00 /bin/sh /usr/lib64/ipsec/_plutoload --wait no --post<br> root 28674 3185 0 22:39 pts/0 00:00:00 grep 7450<br> <br> On 7/30/2012 6:29 PM, Muhammad El-Sergani wrote:<br>
</div><blockquote type="cite"><p>Hello Igor, what's that port number?<br> This shouldn't happen I believe.</p><p>Sent from my Galaxy Tab</p><div class="gmail_quote">On Jul 31, 2012 12:28 AM, "Igor Lasic" <<a href="mailto:ilasic@yahoo.com" target="_blank">ilasic@yahoo.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>Hello everyone,<br> <br> I have a problem where openswan ipsec opens out a TCP port when it starts that conflicts with our web service;.<br>
<br> It appears the TCP port is not fixed as we've attempted to use a different port and ipsec service still showed up as listening on that port.<br> <br> Anyone know what is the port used for and can the port be configured or can the "feature" be disabled?<br>
<br> Thanks,<br> <br> Igor<br> <br> <span style="font-size:small" size="3"><span style="color:#909090" color="#909090"><br> </span></span></div><br></blockquote></div></blockquote></div></blockquote></div></div></blockquote>
</div><br></div></div></blockquote></div>