[Openswan Users] securing data between two hosts for a specific port

Ryan Bohn ryan.bohn at tenzing.com
Mon Aug 31 18:31:06 EDT 2009 

It looks like Im going to have to drop openswan. It doesn't appear to be configurable to allow the server to secure outbound snmp protocol only when the server polls using an snmp management software.

It also seems that nearly all linux users have somehow locked into a paradigm that when you talk ipsec you are only meaning vpn, that's all i see discussed when it comes to ipsec. Ipsec allows for more than virtualized private networks, specifically in my case simply encrypting and authenticating the data transmitted between two hosts for a particular port regardless of the network they are on.

Oh well.

Ryan Bohn
Corporate Systems Engineer

Summit with Tenzing


-----Original Message-----
From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On Behalf Of Ryan Bohn
Sent: August-28-09 2:18 PM
To: Paul Wouters
Cc: users at openswan.org
Subject: Re: [Openswan Users] securing data between two hosts for a specific port

Hey Paul,

Thanks again.

I made the changes you suggested, but I'm getting these errors/warnings now:

Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: added connection description "snmp_sec"
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: listening for IKE messages
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface eth0/eth0 10.250.1.139:500
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface eth0/eth0 10.250.1.139:4500
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface lo/lo 127.0.0.1:500
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface lo/lo 127.0.0.1:4500
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface lo/lo ::1:500
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: loading secrets from "/etc/ipsec.secrets"
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: loading secrets from "/etc/ipsec.d/snmp.secrets"
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: "snmp_sec": cannot route template policy of PSK+ENCRYPT+TUNNEL+IKEv2ALLOW
Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: "snmp_sec": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)

Here's my updated config file:

config setup
        plutodebug="all"
        nat_traversal=yes
        nhelpers=0
        failureshunt=passthrough


conn snmp_sec
        #keyexchange=ike
        #ike=3des-sha1-modp1024
        auth=esp
        #phase2alg=3des-sha1
        authby=secret
        pfs=no
        rekey=no
        keyingtries=3

        # any remote host
        right=%any
        rightprotoport=udp/snmp

        # local server
        left=10.250.1.139
        leftprotoport=udp/snmp

        auto=start

Ryan Bohn
Corporate Systems Engineer

Summit with Tenzing


-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: August-28-09 2:05 PM
To: Ryan Bohn
Cc: users at openswan.org
Subject: RE: [Openswan Users] securing data between two hosts for a specific port

On Fri, 28 Aug 2009, Ryan Bohn wrote:

> Ok, perhaps my limited understanding of tunnel vs transport modes need help. Would you recommend tunnel mode here?

In general, I recommend tunnel mode. Transport mode and AH (without ESP) have even been
candidates for removal.

> conn snmp_sec
>    #keyexchange=ike
>    #ike=3des-sha1-modp1024
>    auth=esp
>    #phase2alg=3des-sha1
>    authby=secret
>    pfs=no
>    rekey=no
>    keyingtries=3
>    type=transport
> 	# remote hosts
>        right=%any
>        rightprotoport=udp/snmp
> 	# local host
>        left=10.250.1.139
>        leftprotoport=udp/snmp
>    auto=add

Don't indent a conn differently within its section. It might cause problems, just like
empty lines (they signify 'end of conn')

You use auto=add which sets it up for "responding only". You want "auto=start", or
else you have to issue a ipsec auto --up snmp_sec

Paul
>
>
> Thanks for your time.
>
> Ryan Bohn
> Corporate Systems Engineer
>
> Summit with Tenzing
>
> -----Original Message-----
> From: Paul Wouters [mailto:paul at xelerance.com]
> Sent: August-28-09 12:06 PM
> To: Ryan Bohn
> Cc: users at openswan.org
> Subject: Re: [Openswan Users] securing data between two hosts for a specific port
>
> On Thu, 27 Aug 2009, Ryan Bohn wrote:
>
>> I need to have my redhat enterprise linux machine attempt to use ipsec when connecting via the SNMP protocol to windows servers. I can’t use a tunnel (vpn) setup as the redhat
>> box is a management server that will be connecting to thousands of servers on our various (numerous) networks, so we will need transport mode and set to specific ports to
>> protect. For our ISO and SAS security requirements, the data collected over snmp cannot flow clear text and must be encrypted. Microsoft doesn’t allow for any
>> authentication/encryption with their snmp v2c implementation (bastards!), so I need to use ipsec to secure the data.
>
> Why do you think transport mode is so much better then tunnel mode for this? The few bytes you gain per packet? At the expense
> of easy NAT traversal. STill, you can use transport mode if you want. Just add type=transport
>
> For snmp, you can add to the conn:
>
> 	leftprotoport=udp/snmp  (or 17/161)
> 	rightprotoport=udp/snmp  (or 17/161)
>
>> So, to review, I need to configure the redhat server openswan to attempt ipsec when that server connects with the snmp protocol outbound. If a ipsec connection cannot be
>> established, it should fall back to non-ipsec mode
>
> Add failureshunt=passthrough to 'config setup' in ipsec.conf.
>
>> I should note that during my trials with raccoon, I was able to get the redhat server to use ipsec with a windows box when I defined the specific ip and port for the windows
>> host. If I tried to use a policy for a subnet or any remote host, it fails in phase 2. Furthermore, we plan to use x509 certs for ipsec, and raccoon doesn’t properly use CRL
>> which we will require.
>
> If you use a subnet, should you not use tunnel mode instead of transport mode?
>
>> Thanks to anyone for any tips on how to get this going. I’ve been trying various things with openswan and it’s just not kicking in.
>
> Paul
>
_______________________________________________
Users at openswan.org
http://lists.openswan.org/mailman/listinfo/users
Building and Integrating Virtual Private Networks with Openswan: 
http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155

More information about the Users mailing list