[Openswan Users] securing data between two hosts for a specific port

Ryan Bohn ryan.bohn at tenzing.com
Tue Sep 1 14:16:08 EDT 2009 

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: August-31-09 6:03 PM
To: Ryan Bohn
Cc: users at openswan.org
Subject: Re: [Openswan Users] securing data between two hosts for a specific port

On Mon, 31 Aug 2009, Ryan Bohn wrote:

> It looks like Im going to have to drop openswan. It doesn't appear to be configurable to allow the server to secure outbound snmp protocol only when the server polls using an snmp management software.

It should work fine.

--- Unfortunately, it hasn't worked at all yet.

>
> I made the changes you suggested, but I'm getting these errors/warnings now:
>
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: added connection description "snmp_sec"
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: listening for IKE messages
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface eth0/eth0 10.250.1.139:500
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface eth0/eth0 10.250.1.139:4500
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface lo/lo 127.0.0.1:500
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface lo/lo 127.0.0.1:4500
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: adding interface lo/lo ::1:500
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: loading secrets from "/etc/ipsec.secrets"
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: loading secrets from "/etc/ipsec.d/snmp.secrets"
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: "snmp_sec": cannot route template policy of PSK+ENCRYPT+TUNNEL+IKEv2ALLOW
> Aug 28 14:12:43 ryanb-rhelvm1 pluto[13078]: "snmp_sec": cannot initiate connection without knowing peer IP address (kind=CK_TEMPLATE)

You cannot use auto=start, which means "initiate" and "right=%any". Initiate to where? You either initiate to some
specific host or ip, or you are respond-only. When respond-only you can accept ipsec from either a hostname, an
ip or "any" and then proceed to authenticate.

--- The problem here is that "respond only" does me no good. Its the rhel server (whever openswan is running) that will be initiating outbound connections via snmp to thousands of remote hosts. The rhel box needs to initiate ipsec when it connects out, it will never receive initial snmp inbound traffic. So in this case auto=add means respond only, which won't work with this. With auto=start, I only need the ipsec connection to secure snmp port on-demand when the rhel box connects out with its management software. Additionally, I don't want to have to define thousands of remote ip's in the openswan conf file, it's just not manageable.

--- It does not appear that openswan has the ability to secure a port when it itself is initiating the connection on demand to any remote host.

> Here's my updated config file:
>
> config setup
>        plutodebug="all"
>        nat_traversal=yes
>        nhelpers=0
>        failureshunt=passthrough
>
>
> conn snmp_sec
>        #keyexchange=ike
>        #ike=3des-sha1-modp1024
>        auth=esp
>        #phase2alg=3des-sha1
>        authby=secret
>        pfs=no
>        rekey=no
>        keyingtries=3
>
>        # any remote host
>        right=%any
>        rightprotoport=udp/snmp
>
>        # local server
>        left=10.250.1.139
>        leftprotoport=udp/snmp
>
>        auto=start

So you need a right=someip

Paul

More information about the Users mailing list