[Openswan Users] securing data between two hosts for a specific port
ryan.bohn at tenzing.com
Fri Aug 28 15:51:11 EDT 2009
Ok, perhaps my limited understanding of tunnel vs transport modes need help. Would you recommend tunnel mode here?
Here's my config so far (haven't applied your suggestions yet, will do soon), but it doesn't work. When I try to snmpwalk a remote host from the rhel box, ipsec doesn't kick in. I did restart ipsec.
# remote hosts
# local host
Thanks for your time.
Corporate Systems Engineer
Summit with Tenzing
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: August-28-09 12:06 PM
To: Ryan Bohn
Cc: users at openswan.org
Subject: Re: [Openswan Users] securing data between two hosts for a specific port
On Thu, 27 Aug 2009, Ryan Bohn wrote:
> I need to have my redhat enterprise linux machine attempt to use ipsec when connecting via the SNMP protocol to windows servers. I can’t use a tunnel (vpn) setup as the redhat
> box is a management server that will be connecting to thousands of servers on our various (numerous) networks, so we will need transport mode and set to specific ports to
> protect. For our ISO and SAS security requirements, the data collected over snmp cannot flow clear text and must be encrypted. Microsoft doesn’t allow for any
> authentication/encryption with their snmp v2c implementation (bastards!), so I need to use ipsec to secure the data.
Why do you think transport mode is so much better then tunnel mode for this? The few bytes you gain per packet? At the expense
of easy NAT traversal. STill, you can use transport mode if you want. Just add type=transport
For snmp, you can add to the conn:
leftprotoport=udp/snmp (or 17/161)
rightprotoport=udp/snmp (or 17/161)
> So, to review, I need to configure the redhat server openswan to attempt ipsec when that server connects with the snmp protocol outbound. If a ipsec connection cannot be
> established, it should fall back to non-ipsec mode
Add failureshunt=passthrough to 'config setup' in ipsec.conf.
> I should note that during my trials with raccoon, I was able to get the redhat server to use ipsec with a windows box when I defined the specific ip and port for the windows
> host. If I tried to use a policy for a subnet or any remote host, it fails in phase 2. Furthermore, we plan to use x509 certs for ipsec, and raccoon doesn’t properly use CRL
> which we will require.
If you use a subnet, should you not use tunnel mode instead of transport mode?
> Thanks to anyone for any tips on how to get this going. I’ve been trying various things with openswan and it’s just not kicking in.
More information about the Users