[Openswan Users] Issue with openswan opening a TCP port that conflicts with another service

Igor Lasic ilasic at yahoo.com
Mon Jul 30 19:41:22 EDT 2012


We are using "service ipsec xxx" to control the ipsec.

I think both pluto processes are spawned by the control process (7450). 
We are running with threading.

Here are config files.

Igor

[root at larry1 ~]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
         # Do not set debug= options to debug configuration issues!
         # plutodebug / klipsdebug = "all", "none" or a combation from 
below:
         # "raw crypt parsing emitting control klips pfkey natt x509 dpd 
private"
         # eg:
         # plutodebug="control parsing"
         #
         # enable to get logs per-peer
         # plutoopts="--perpeerlog"
         #
         # Only enable *debug=all if you are a developer
         #
         # NAT-TRAVERSAL support, see README.NAT-Traversal
         nat_traversal=yes
         # exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
         # OE is now off by default. Uncomment and change to on, to enable.
         OE=off
         # which IPsec stack to use. netkey,klips,mast,auto or none
         protostack=netkey


# Add connections here



conn sample
         type=           transport
         authby=         secret
         # Collector eth0 IP address
         left=           172.20.0.186
         leftid=           172.20.0.186
         # CMTS IP
         right=          172.20.2.226
         rightid=          172.20.2.226
         keyexchange=    ike
         pfs=            no
         auto=           start

conn sample1
         type=           transport
         authby=         secret
         # Collector eth0 IP address
         left=           172.20.0.181
         leftid=           172.20.0.181
         # CMTS IP
         right=          172.20.2.226
         rightid=          172.20.2.226
         keyexchange=    ike
         pfs=            no
         auto=           start

conn ubr
         type=transport
         authby=secret
         # Collector eth0 IP address
         left=172.20.0.181
         leftid=172.20.0.181
         # CMTS IP
         right=172.29.1.1
         rightid=172.29.1.1
         keyexchange=    ike
         pfs=            no
         auto=           start

conn ubr1
         type=transport
         authby=secret
         # Collector eth0 IP address
         left=172.20.0.186
         leftid=172.20.0.186
         # CMTS IP
         right=172.29.1.1
         rightid=172.29.1.1
         keyexchange=    ike
         pfs=            no
         auto=           start

#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and 
uncomment this.
include /etc/ipsec.d/*.conf


# This file is auto-generated.  Do not modify.
conn host_0
         authby=secret
         auto=start
         dpdaction=restart
         dpddelay=10
         dpdtimeout=20
         ikelifetime=480s
         keyexchange=ike
         keylife=600s
         left=172.20.2.167
         leftid=172.20.2.167
         pfs=no
         rekeyfuzz=0%
         rekeymargin=180s
         right=172.20.2.226
         rightid=172.20.2.226
         type=transport



On 7/30/2012 7:08 PM, Muhammad El-Sergani wrote:
>
> Would be helpful as well if you could post your ipsec.conf file, as 
> well as any includes.
>
> Sent from my Galaxy Tab
>
> On Jul 31, 2012 1:06 AM, "Muhammad El-Sergani" <msergani at gmail.com 
> <mailto:msergani at gmail.com>> wrote:
>
>     Hello Igor,
>
>     I need to check my setup, this looks weird.
>     Are you running IPSec from CLI or through command service?
>
>     Also (and I'm. Of sure of that's normal or not, never checked) why
>     are you having two identical processes for Pluto running? Both
>     with different PIDs.
>
>     Sent from my Galaxy Tab
>
>     On Jul 31, 2012 12:54 AM, "Igor Lasic" <ilasic at yahoo.com
>     <mailto:ilasic at yahoo.com>> wrote:
>
>         Hello Muhammad, thanks for responding.
>
>         I am seeing TCP port 3082 opened as in below. We have also
>         tried with port 3081 and got the same result where pluto took it.
>
>         Unfortunately we cannot guarantee the order in which services
>         will start and cannot use other means such as SE security.
>
>         netstat -nap | grep 3082
>         *tcp        0      0 0.0.0.0:3082 <http://0.0.0.0:3082>
>         0.0.0.0:*                   LISTEN _7450_/sh*
>         tcp        0      0 127.0.0.1:3082 <http://127.0.0.1:3082>
>         127.0.0.1:44259 <http://127.0.0.1:44259> SYN_RECV    -
>         tcp        0      0 127.0.0.1:3082 <http://127.0.0.1:3082>
>         127.0.0.1:44261 <http://127.0.0.1:44261> SYN_RECV    -
>         tcp        0      0 127.0.0.1:3082 <http://127.0.0.1:3082>
>         127.0.0.1:45281 <http://127.0.0.1:45281> SYN_RECV    -
>         tcp      349      0 127.0.0.1:3082 <http://127.0.0.1:3082>
>         127.0.0.1:49980 <http://127.0.0.1:49980> CLOSE_WAIT  -
>         tcp      345      0 127.0.0.1:3082 <http://127.0.0.1:3082>
>         127.0.0.1:34400 <http://127.0.0.1:34400> CLOSE_WAIT  -
>         tcp      343      0 127.0.0.1:3082 <http://127.0.0.1:3082>
>         127.0.0.1:49530 <http://127.0.0.1:49530> CLOSE_WAIT  -
>         tcp        0    345 127.0.0.1:44259 <http://127.0.0.1:44259>
>         127.0.0.1:3082 <http://127.0.0.1:3082> FIN_WAIT1   -
>         tcp        0    329 127.0.0.1:44261 <http://127.0.0.1:44261>
>         127.0.0.1:3082 <http://127.0.0.1:3082> FIN_WAIT1   -
>         tcp        0    329 127.0.0.1:45281 <http://127.0.0.1:45281>
>         127.0.0.1:3082 <http://127.0.0.1:3082> ESTABLISHED 25856/httpd
>
>         root at lang-armagent-2a ~]# ps -ef | grep 7450
>         root _*7450 *_1  0 Jul23 ? 00:00:00_*/bin/sh
>         /usr/lib64/ipsec/_plutorun *_--debug --uniqueids yes
>         --force_busy no --nocrsend no --strictcrlpolicy no
>         --nat_traversal yes --keep_alive --protostack netkey
>         --force_keepalive no --disable_port_floating no
>         --virtual_private
>         %v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>         <http://10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12>
>         --listen  --crlcheckinterval 0 --ocspuri  --nhelpers
>         --secctx_attr_value  --dump  --opts  --stderrlog --wait no
>         --pre  --post  --log daemon.error --plutorestartoncrash true
>         --pid /var/run/pluto/pluto.pid
>         root      7452  7450  0 Jul23 ?        00:00:00 /bin/sh
>         /usr/lib64/ipsec/_plutorun --debug --uniqueids yes
>         --force_busy no --nocrsend no --strictcrlpolicy no
>         --nat_traversal yes --keep_alive --protostack netkey
>         --force_keepalive no --disable_port_floating no
>         --virtual_private
>         %v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
>         <http://10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12>
>         --listen  --crlcheckinterval 0 --ocspuri  --nhelpers
>         --secctx_attr_value  --dump  --opts  --stderrlog --wait no
>         --pre  --post  --log daemon.error --plutorestartoncrash true
>         --pid /var/run/pluto/pluto.pid
>         root      7455  7450  0 Jul23 ?        00:00:00 /bin/sh
>         /usr/lib64/ipsec/_plutoload --wait no --post
>         root     28674  3185  0 22:39 pts/0    00:00:00 grep 7450
>
>         On 7/30/2012 6:29 PM, Muhammad El-Sergani wrote:
>>
>>         Hello Igor, what's that port number?
>>         This shouldn't happen I believe.
>>
>>         Sent from my Galaxy Tab
>>
>>         On Jul 31, 2012 12:28 AM, "Igor Lasic" <ilasic at yahoo.com
>>         <mailto:ilasic at yahoo.com>> wrote:
>>
>>             Hello everyone,
>>
>>             I have a problem where openswan ipsec opens out a TCP
>>             port when it starts that conflicts with our web service;.
>>
>>             It appears the TCP port is not fixed as we've attempted
>>             to use a different port and ipsec service still showed up
>>             as listening on that port.
>>
>>             Anyone know what is the port used for and can the port be
>>             configured or can the "feature" be disabled?
>>
>>             Thanks,
>>
>>             Igor
>>
>>
>>
>>             _______________________________________________
>>             Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>>             https://lists.openswan.org/mailman/listinfo/users
>>             Micropayments:
>>             https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>>             Building and Integrating Virtual Private Networks with
>>             Openswan:
>>             http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120730/3f0d8fd7/attachment-0001.html>


More information about the Users mailing list