[Openswan Users] securing data between two hosts for a specific port

Paul Wouters paul at xelerance.com
Fri Aug 28 17:04:58 EDT 2009

On Fri, 28 Aug 2009, Ryan Bohn wrote:

> Ok, perhaps my limited understanding of tunnel vs transport modes need help. Would you recommend tunnel mode here?

In general, I recommend tunnel mode. Transport mode and AH (without ESP) have even been
candidates for removal.

> conn snmp_sec
>    #keyexchange=ike
>    #ike=3des-sha1-modp1024
>    auth=esp
>    #phase2alg=3des-sha1
>    authby=secret
>    pfs=no
>    rekey=no
>    keyingtries=3
>    type=transport
> 	# remote hosts
>        right=%any
>        rightprotoport=udp/snmp
> 	# local host
>        left=
>        leftprotoport=udp/snmp
>    auto=add

Don't indent a conn differently within its section. It might cause problems, just like
empty lines (they signify 'end of conn')

You use auto=add which sets it up for "responding only". You want "auto=start", or
else you have to issue a ipsec auto --up snmp_sec

> Thanks for your time.
> Ryan Bohn
> Corporate Systems Engineer
> Summit with Tenzing
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: August-28-09 12:06 PM
> To: Ryan Bohn
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] securing data between two hosts for a specific port
> On Thu, 27 Aug 2009, Ryan Bohn wrote:
>> I need to have my redhat enterprise linux machine attempt to use ipsec when connecting via the SNMP protocol to windows servers. I can’t use a tunnel (vpn) setup as the redhat
>> box is a management server that will be connecting to thousands of servers on our various (numerous) networks, so we will need transport mode and set to specific ports to
>> protect. For our ISO and SAS security requirements, the data collected over snmp cannot flow clear text and must be encrypted. Microsoft doesn’t allow for any
>> authentication/encryption with their snmp v2c implementation (bastards!), so I need to use ipsec to secure the data.
> Why do you think transport mode is so much better then tunnel mode for this? The few bytes you gain per packet? At the expense
> of easy NAT traversal. STill, you can use transport mode if you want. Just add type=transport
> For snmp, you can add to the conn:
> 	leftprotoport=udp/snmp  (or 17/161)
> 	rightprotoport=udp/snmp  (or 17/161)
>> So, to review, I need to configure the redhat server openswan to attempt ipsec when that server connects with the snmp protocol outbound. If a ipsec connection cannot be
>> established, it should fall back to non-ipsec mode
> Add failureshunt=passthrough to 'config setup' in ipsec.conf.
>> I should note that during my trials with raccoon, I was able to get the redhat server to use ipsec with a windows box when I defined the specific ip and port for the windows
>> host. If I tried to use a policy for a subnet or any remote host, it fails in phase 2. Furthermore, we plan to use x509 certs for ipsec, and raccoon doesn’t properly use CRL
>> which we will require.
> If you use a subnet, should you not use tunnel mode instead of transport mode?
>> Thanks to anyone for any tips on how to get this going. I’ve been trying various things with openswan and it’s just not kicking in.
> Paul

More information about the Users mailing list