[Openswan Users] securing data between two hosts for a specific port

Ryan Bohn ryan.bohn at tenzing.com
Thu Aug 27 19:15:06 EDT 2009

Hello all,

I'm knew to the ipsec world and needing some guidance on configuration. I had tried raccoon, but it just wasn't working, then I found openswan and it seems to be more feature rich and customizable.

Here's what I need to do:

I need to have my redhat enterprise linux machine attempt to use ipsec when connecting via the SNMP protocol to windows servers. I can't use a tunnel (vpn) setup as the redhat box is a management server that will be connecting to thousands of servers on our various (numerous) networks, so we will need transport mode and set to specific ports to protect. For our ISO and SAS security requirements, the data collected over snmp cannot flow clear text and must be encrypted. Microsoft doesn't allow for any authentication/encryption with their snmp v2c implementation (bastards!), so I need to use ipsec to secure the data.

So, to review, I need to configure the redhat server openswan to attempt ipsec when that server connects with the snmp protocol outbound. If a ipsec connection cannot be established, it should fall back to non-ipsec mode (for our linux servers that run snmp v3 with built in authentication/encryption and don't require ipsec). I do not need assistance with the windows side of the ipsec setup, that's been easily setup already, and I can refine the authentication hashes and encryption algorithms once I get the main config figured out.

I should note that during my trials with raccoon, I was able to get the redhat server to use ipsec with a windows box when I defined the specific ip and port for the windows host. If I tried to use a policy for a subnet or any remote host, it fails in phase 2. Furthermore, we plan to use x509 certs for ipsec, and raccoon doesn't properly use CRL which we will require.

Thanks to anyone for any tips on how to get this going. I've been trying various things with openswan and it's just not kicking in.

Ryan Bohn
Corporate Systems Engineer

Summit with Tenzing

Phone: +1 877 767 5577 ext 203
Mobile: +1 250 215 2299
Fax:  +1 416 981 3007
Web: www.tenzing.com<http://www.tenzing.com/>

[cid:image001.jpg at 01CA2730.003E5940]

Confidentiality Warning: This message and any attachments are intended only for the use of the intended recipient(s), contain confidential proprietary business information, and may be privileged. If you are not the intended recipient, you are hereby notified that any review, retransmission, conversion to hard copy, copying, circulation or other use of this message and any attachments is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return e-mail, and delete this message and any attachments from your system. Thank-you!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.openswan.org/pipermail/users/attachments/20090827/401fa6bc/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 5128 bytes
Desc: image001.jpg
Url : http://lists.openswan.org/pipermail/users/attachments/20090827/401fa6bc/attachment.jpg 

More information about the Users mailing list