[Openswan Users] securing data between two hosts for a specific port
ryan.bohn at tenzing.com
Fri Aug 28 17:18:18 EDT 2009
I made the changes you suggested, but I'm getting these errors/warnings now:
Aug 28 14:12:43 ryanb-rhelvm1 pluto: added connection description "snmp_sec"
Aug 28 14:12:43 ryanb-rhelvm1 pluto: listening for IKE messages
Aug 28 14:12:43 ryanb-rhelvm1 pluto: adding interface eth0/eth0 10.250.1.139:500
Aug 28 14:12:43 ryanb-rhelvm1 pluto: adding interface eth0/eth0 10.250.1.139:4500
Aug 28 14:12:43 ryanb-rhelvm1 pluto: adding interface lo/lo 127.0.0.1:500
Aug 28 14:12:43 ryanb-rhelvm1 pluto: adding interface lo/lo 127.0.0.1:4500
Aug 28 14:12:43 ryanb-rhelvm1 pluto: adding interface lo/lo ::1:500
Aug 28 14:12:43 ryanb-rhelvm1 pluto: loading secrets from "/etc/ipsec.secrets"
Aug 28 14:12:43 ryanb-rhelvm1 pluto: loading secrets from "/etc/ipsec.d/snmp.secrets"
Aug 28 14:12:43 ryanb-rhelvm1 pluto: "snmp_sec": cannot route template policy of PSK+ENCRYPT+TUNNEL+IKEv2ALLOW
Aug 28 14:12:43 ryanb-rhelvm1 pluto: "snmp_sec": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)
Here's my updated config file:
# any remote host
# local server
Corporate Systems Engineer
Summit with Tenzing
From: Paul Wouters [mailto:paul at xelerance.com]
Sent: August-28-09 2:05 PM
To: Ryan Bohn
Cc: users at openswan.org
Subject: RE: [Openswan Users] securing data between two hosts for a specific port
On Fri, 28 Aug 2009, Ryan Bohn wrote:
> Ok, perhaps my limited understanding of tunnel vs transport modes need help. Would you recommend tunnel mode here?
In general, I recommend tunnel mode. Transport mode and AH (without ESP) have even been
candidates for removal.
> conn snmp_sec
> # remote hosts
> # local host
Don't indent a conn differently within its section. It might cause problems, just like
empty lines (they signify 'end of conn')
You use auto=add which sets it up for "responding only". You want "auto=start", or
else you have to issue a ipsec auto --up snmp_sec
> Thanks for your time.
> Ryan Bohn
> Corporate Systems Engineer
> Summit with Tenzing
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: August-28-09 12:06 PM
> To: Ryan Bohn
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] securing data between two hosts for a specific port
> On Thu, 27 Aug 2009, Ryan Bohn wrote:
>> I need to have my redhat enterprise linux machine attempt to use ipsec when connecting via the SNMP protocol to windows servers. I can’t use a tunnel (vpn) setup as the redhat
>> box is a management server that will be connecting to thousands of servers on our various (numerous) networks, so we will need transport mode and set to specific ports to
>> protect. For our ISO and SAS security requirements, the data collected over snmp cannot flow clear text and must be encrypted. Microsoft doesn’t allow for any
>> authentication/encryption with their snmp v2c implementation (bastards!), so I need to use ipsec to secure the data.
> Why do you think transport mode is so much better then tunnel mode for this? The few bytes you gain per packet? At the expense
> of easy NAT traversal. STill, you can use transport mode if you want. Just add type=transport
> For snmp, you can add to the conn:
> leftprotoport=udp/snmp (or 17/161)
> rightprotoport=udp/snmp (or 17/161)
>> So, to review, I need to configure the redhat server openswan to attempt ipsec when that server connects with the snmp protocol outbound. If a ipsec connection cannot be
>> established, it should fall back to non-ipsec mode
> Add failureshunt=passthrough to 'config setup' in ipsec.conf.
>> I should note that during my trials with raccoon, I was able to get the redhat server to use ipsec with a windows box when I defined the specific ip and port for the windows
>> host. If I tried to use a policy for a subnet or any remote host, it fails in phase 2. Furthermore, we plan to use x509 certs for ipsec, and raccoon doesn’t properly use CRL
>> which we will require.
> If you use a subnet, should you not use tunnel mode instead of transport mode?
>> Thanks to anyone for any tips on how to get this going. I’ve been trying various things with openswan and it’s just not kicking in.
More information about the Users