[Openswan Users] securing data between two hosts for a specific port

Tue Sep 1 14:53:31 EDT 2009

It's very simple to do in windows land.

Create new policy, set it to activate ipsec whenever you attempt to connect out to a specific port on any host (you can set any host, a specific one, a subnet, etc). Its just a few simply clicks to build that policy, set it to use aes and rsa auth and everything. And it does just that, it will attempt to use ipsec with whatever the remote host is, you don't need to define it. It will only kick in on demand for that connection on that port, it won't "initiate" it until the server is creating that connection out. MS never designed it with just vpn in minde, they designed it at a higher level, a broad way to secure communications. I could set my windows laptop to attempt to secure all my http outbound requests with ipsec, and if any web server supported the setup (eg, had a cert i trusted with a similar policy), it would do it.

I actually got this working with spdadd config in racoon, it only secured with ipsec when the box connected out with snmp, and stopped when it was done with that snmp connection. Racoon just has some bugs in it that prevented it from working with CRL, etc.

Apparelty openswan is limited in that it can only "respond" to incoming ipsec requests, or it will "start/initiate" a ipsec connection outbound to a specific host and keep that up constantly. So for the sake of clarification, is there an option to tell openswan to only attempt an ipsec connection when the box is attempting to connect out on a specific port to any remote host?

Its unfortunate the management software i'm using won't run on windows, because the ipsec implementation paradigm in openswan appears to be limited in scope to vpn scenarios, or at least heavily bent that way with little details of other ways to use ipsec.

Ryan Bohn
Corporate Systems Engineer

Summit with Tenzing

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: September-01-09 11:28 AM
To: Ryan Bohn
Cc: users at openswan.org
Subject: RE: [Openswan Users] securing data between two hosts for a specific port

On Tue, 1 Sep 2009, Ryan Bohn wrote:

> It should work fine.
>
> --- Unfortunately, it hasn't worked at all yet.

You have not configured it properly.

> --- The problem here is that "respond only" does me no good.

Then change it to use a configuration where it can initiate. However,
how do you expect to initiate to "lots of something's somewhere"?

> Its the rhel server (whever openswan is running) that will be initiating outbound connections via snmp to thousands of remote hosts. The rhel box needs to initiate ipsec when it connects out, it will never receive initial snmp inbound traffic. So in this case auto=add means respond only, which won't work with this. With auto=start, I only need the ipsec connection to secure snmp port on-demand when the rhel box connects out with its management software. Additionally, I don't want to have to define thousands of remote ip's in the openswan conf file, it's just not manageable.

You cannot have the cake and eat it too. Either you tell it to which 
thousands you initiate to. Or you wait for packets to arrive to then
initiate on. I don't understand how you could build something any other
way, regardless of what software or protocol you use.

You can use one connection with right=%any, but you will have to be a
responder. Or at least you have to wait for plaintext packets to then
counter-initiate.

> --- It does not appear that openswan has the ability to secure a port when it itself is initiating the connection on demand to any remote host.

It's not a matter of openswan. You have come up with impossible demands of:

- no plaintext exchange ever (that could be used to trigger crypto)
- no initiating from snmp clients to snmp server
- initiating from snmp server to clients without where to initiate to.

I have accomplished quite some magic, but this is beyond me.

Paul