[Openswan Users] securing data between two hosts for a specific port

Ryan Bohn ryan.bohn at tenzing.com
Fri Aug 28 15:51:11 EDT 2009 

Hi Paul,

Ok, perhaps my limited understanding of tunnel vs transport modes need help. Would you recommend tunnel mode here?

Here's my config so far (haven't applied your suggestions yet, will do soon), but it doesn't work. When I try to snmpwalk a remote host from the rhel box, ipsec doesn't kick in. I did restart ipsec.

config setup
    plutodebug="all"
    nat_traversal=yes
    nhelpers=0


conn snmp_sec

    #keyexchange=ike

    #ike=3des-sha1-modp1024 

    auth=esp

    #phase2alg=3des-sha1

    authby=secret

    pfs=no

    rekey=no

    keyingtries=3

    type=transport

	# remote hosts
        right=%any
        rightprotoport=udp/snmp

	# local host
        left=10.250.1.139
        leftprotoport=udp/snmp

    auto=add


Thanks for your time.

Ryan Bohn
Corporate Systems Engineer

Summit with Tenzing

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: August-28-09 12:06 PM
To: Ryan Bohn
Cc: users at openswan.org
Subject: Re: [Openswan Users] securing data between two hosts for a specific port

On Thu, 27 Aug 2009, Ryan Bohn wrote:

> I need to have my redhat enterprise linux machine attempt to use ipsec when connecting via the SNMP protocol to windows servers. I can’t use a tunnel (vpn) setup as the redhat
> box is a management server that will be connecting to thousands of servers on our various (numerous) networks, so we will need transport mode and set to specific ports to
> protect. For our ISO and SAS security requirements, the data collected over snmp cannot flow clear text and must be encrypted. Microsoft doesn’t allow for any
> authentication/encryption with their snmp v2c implementation (bastards!), so I need to use ipsec to secure the data.

Why do you think transport mode is so much better then tunnel mode for this? The few bytes you gain per packet? At the expense
of easy NAT traversal. STill, you can use transport mode if you want. Just add type=transport

For snmp, you can add to the conn:

 	leftprotoport=udp/snmp  (or 17/161)
 	rightprotoport=udp/snmp  (or 17/161)

> So, to review, I need to configure the redhat server openswan to attempt ipsec when that server connects with the snmp protocol outbound. If a ipsec connection cannot be
> established, it should fall back to non-ipsec mode

Add failureshunt=passthrough to 'config setup' in ipsec.conf.

> I should note that during my trials with raccoon, I was able to get the redhat server to use ipsec with a windows box when I defined the specific ip and port for the windows
> host. If I tried to use a policy for a subnet or any remote host, it fails in phase 2. Furthermore, we plan to use x509 certs for ipsec, and raccoon doesn’t properly use CRL
> which we will require.

If you use a subnet, should you not use tunnel mode instead of transport mode?

> Thanks to anyone for any tips on how to get this going. I’ve been trying various things with openswan and it’s just not kicking in.

Paul

More information about the Users mailing list