[Openswan Users] securing data between two hosts for a specific port

Paul Wouters paul at xelerance.com
Fri Aug 28 15:05:56 EDT 2009

On Thu, 27 Aug 2009, Ryan Bohn wrote:

> I need to have my redhat enterprise linux machine attempt to use ipsec when connecting via the SNMP protocol to windows servers. I can’t use a tunnel (vpn) setup as the redhat
> box is a management server that will be connecting to thousands of servers on our various (numerous) networks, so we will need transport mode and set to specific ports to
> protect. For our ISO and SAS security requirements, the data collected over snmp cannot flow clear text and must be encrypted. Microsoft doesn’t allow for any
> authentication/encryption with their snmp v2c implementation (bastards!), so I need to use ipsec to secure the data.

Why do you think transport mode is so much better then tunnel mode for this? The few bytes you gain per packet? At the expense
of easy NAT traversal. STill, you can use transport mode if you want. Just add type=transport

For snmp, you can add to the conn:

 	leftprotoport=udp/snmp  (or 17/161)
 	rightprotoport=udp/snmp  (or 17/161)

> So, to review, I need to configure the redhat server openswan to attempt ipsec when that server connects with the snmp protocol outbound. If a ipsec connection cannot be
> established, it should fall back to non-ipsec mode

Add failureshunt=passthrough to 'config setup' in ipsec.conf.

> I should note that during my trials with raccoon, I was able to get the redhat server to use ipsec with a windows box when I defined the specific ip and port for the windows
> host. If I tried to use a policy for a subnet or any remote host, it fails in phase 2. Furthermore, we plan to use x509 certs for ipsec, and raccoon doesn’t properly use CRL
> which we will require.

If you use a subnet, should you not use tunnel mode instead of transport mode?

> Thanks to anyone for any tips on how to get this going. I’ve been trying various things with openswan and it’s just not kicking in.


More information about the Users mailing list