[Openswan Users] securing data between two hosts for a specific port

Ryan Bohn ryan.bohn at tenzing.com
Fri Aug 28 17:18:18 EDT 2009 

Hey Paul,

Thanks again.

I made the changes you suggested, but I'm getting these errors/warnings now:

Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: added connection description "snmp_sec"
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: listening for IKE messages
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface eth0/eth0 10.250.1.139:500
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface eth0/eth0 10.250.1.139:4500
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface lo/lo 127.0.0.1:500
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface lo/lo 127.0.0.1:4500
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface lo/lo ::1:500
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: loading secrets from "/etc/ipsec.secrets"
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: loading secrets from "/etc/ipsec.d/snmp.secrets"
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: "snmp_sec": cannot route template policy of PSK+ENCRYPT+TUNNEL+IKEv2ALLOW
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: "snmp_sec": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)

Here's my updated config file:

config setup
        plutodebug="all"
        nat_traversal=yes
        nhelpers=0
        failureshunt=passthrough


conn snmp_sec
        #keyexchange=ike
        #ike=3des-sha1-modp1024
        auth=esp
        #phase2alg=3des-sha1
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3

        # any remote host
        right=%any
        rightprotoport=udp/snmp

        # local server
        left=10.250.1.139
        leftprotoport=udp/snmp

        auto=start

Ryan Bohn
Corporate Systems Engineer

Summit with Tenzing


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: August-28-09 2:05 PM
To: Ryan Bohn
Cc: users at openswan.org
Subject: RE: [Openswan Users] securing data between two hosts for a specific port

On Fri, 28 Aug 2009, Ryan Bohn wrote:

> Ok, perhaps my limited understanding of tunnel vs transport modes need help. Would you recommend tunnel mode here?

In general, I recommend tunnel mode. Transport mode and AH (without ESP) have even been
candidates for removal.

> conn snmp_sec
>    #keyexchange=ike
>    #ike=3des-sha1-modp1024
>    auth=esp
>    #phase2alg=3des-sha1
>    authby=secret
>    pfs=no
>    rekey=no
>    keyingtries=3
>    type=transport
> 	# remote hosts
>        right=%any
>        rightprotoport=udp/snmp
> 	# local host
>        left=10.250.1.139
>        leftprotoport=udp/snmp
>    auto=add

Don't indent a conn differently within its section. It might cause problems, just like
empty lines (they signify 'end of conn')

You use auto=add which sets it up for "responding only". You want "auto=start", or
else you have to issue a ipsec auto --up snmp_sec

Paul
>
>
> Thanks for your time.
>
> Ryan Bohn
> Corporate Systems Engineer
>
> Summit with Tenzing
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: August-28-09 12:06 PM
> To: Ryan Bohn
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] securing data between two hosts for a specific port
>
> On Thu, 27 Aug 2009, Ryan Bohn wrote:
>
>> I need to have my redhat enterprise linux machine attempt to use ipsec when connecting via the SNMP protocol to windows servers. I can’t use a tunnel (vpn) setup as the redhat
>> box is a management server that will be connecting to thousands of servers on our various (numerous) networks, so we will need transport mode and set to specific ports to
>> protect. For our ISO and SAS security requirements, the data collected over snmp cannot flow clear text and must be encrypted. Microsoft doesn’t allow for any
>> authentication/encryption with their snmp v2c implementation (bastards!), so I need to use ipsec to secure the data.
>
> Why do you think transport mode is so much better then tunnel mode for this? The few bytes you gain per packet? At the expense
> of easy NAT traversal. STill, you can use transport mode if you want. Just add type=transport
>
> For snmp, you can add to the conn:
>
> 	leftprotoport=udp/snmp  (or 17/161)
> 	rightprotoport=udp/snmp  (or 17/161)
>
>> So, to review, I need to configure the redhat server openswan to attempt ipsec when that server connects with the snmp protocol outbound. If a ipsec connection cannot be
>> established, it should fall back to non-ipsec mode
>
> Add failureshunt=passthrough to 'config setup' in ipsec.conf.
>
>> I should note that during my trials with raccoon, I was able to get the redhat server to use ipsec with a windows box when I defined the specific ip and port for the windows
>> host. If I tried to use a policy for a subnet or any remote host, it fails in phase 2. Furthermore, we plan to use x509 certs for ipsec, and raccoon doesn’t properly use CRL
>> which we will require.
>
> If you use a subnet, should you not use tunnel mode instead of transport mode?
>
>> Thanks to anyone for any tips on how to get this going. I’ve been trying various things with openswan and it’s just not kicking in.
>
> Paul
>

More information about the Users mailing list