[Openswan Users] securing data between two hosts for a specific port

[Paul Wouters]

On Tue, 1 Sep 2009, Ryan Bohn wrote:

> It should work fine.
>
> --- Unfortunately, it hasn't worked at all yet.

You have not configured it properly.

> --- The problem here is that "respond only" does me no good.

Then change it to use a configuration where it can initiate. However,
how do you expect to initiate to "lots of something's somewhere"?

> Its the rhel server (whever openswan is running) that will be initiating outbound connections via snmp to thousands of remote hosts. The rhel box needs to initiate ipsec when it connects out, it will never receive initial snmp inbound traffic. So in this case auto=add means respond only, which won't work with this. With auto=start, I only need the ipsec connection to secure snmp port on-demand when the rhel box connects out with its management software. Additionally, I don't want to have to define thousands of remote ip's in the openswan conf file, it's just not manageable.

You cannot have the cake and eat it too. Either you tell it to which 
thousands you initiate to. Or you wait for packets to arrive to then
initiate on. I don't understand how you could build something any other
way, regardless of what software or protocol you use.

You can use one connection with right=%any, but you will have to be a
responder. Or at least you have to wait for plaintext packets to then
counter-initiate.

> --- It does not appear that openswan has the ability to secure a port when it itself is initiating the connection on demand to any remote host.

It's not a matter of openswan. You have come up with impossible demands of:

- no plaintext exchange ever (that could be used to trigger crypto)
- no initiating from snmp clients to snmp server
- initiating from snmp server to clients without where to initiate to.

I have accomplished quite some magic, but this is beyond me.

Paul