[Openswan Users] securing data between two hosts for a specific port

Paul Wouters paul at xelerance.com
Mon Aug 31 21:03:13 EDT 2009


On Mon, 31 Aug 2009, Ryan Bohn wrote:

> It looks like Im going to have to drop openswan. It doesn't appear to be configurable to allow the server to secure outbound snmp protocol only when the server polls using an snmp management software.

It should work fine.

>
> I made the changes you suggested, but I'm getting these errors/warnings now:
>
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: added connection description "snmp_sec"
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: listening for IKE messages
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface eth0/eth0 10.250.1.139:500
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface eth0/eth0 10.250.1.139:4500
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface lo/lo 127.0.0.1:500
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface lo/lo 127.0.0.1:4500
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface lo/lo ::1:500
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: loading secrets from "/etc/ipsec.secrets"
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: loading secrets from "/etc/ipsec.d/snmp.secrets"
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: "snmp_sec": cannot route template policy of PSK+ENCRYPT+TUNNEL+IKEv2ALLOW
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: "snmp_sec": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)

You cannot use auto=start, which means "initiate" and "right=%any". Initiate to where? You either initiate to some
specific host or ip, or you are respond-only. When respond-only you can accept ipsec from either a hostname, an
ip or "any" and then proceed to authenticate.

> Here's my updated config file:
>
> config setup
>        plutodebug="all"
>        nat_traversal=yes
>        nhelpers=0
>        failureshunt=passthrough
>
>
> conn snmp_sec
>        #keyexchange=ike
>        #ike=3des-sha1-modp1024
>        auth=esp
>        #phase2alg=3des-sha1
>        authby=secret
>        pfs=no
>        rekey=no
>        keyingtries=3
>
>        # any remote host
>        right=%any
>        rightprotoport=udp/snmp
>
>        # local server
>        left=10.250.1.139
>        leftprotoport=udp/snmp
>
>        auto=start

So you need a right=someip

Paul


More information about the Users mailing list