[Openswan Users] Issue with openswan opening a TCP port that conflicts with another service
Igor Lasic
ilasic at yahoo.com
Mon Jul 30 19:41:22 EDT 2012
We are using "service ipsec xxx" to control the ipsec.
I think both pluto processes are spawned by the control process (7450).
We are running with threading.
Here are config files.
Igor
[root at larry1 ~]# cat /etc/ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.16 2005/07/26 12:29:45 ken Exp $
# This file: /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual: ipsec.conf.5
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Do not set debug= options to debug configuration issues!
# plutodebug / klipsdebug = "all", "none" or a combation from
below:
# "raw crypt parsing emitting control klips pfkey natt x509 dpd
private"
# eg:
# plutodebug="control parsing"
#
# enable to get logs per-peer
# plutoopts="--perpeerlog"
#
# Only enable *debug=all if you are a developer
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
# exclude networks used on server side by adding %v4:!a.b.c.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
# OE is now off by default. Uncomment and change to on, to enable.
OE=off
# which IPsec stack to use. netkey,klips,mast,auto or none
protostack=netkey
# Add connections here
conn sample
type= transport
authby= secret
# Collector eth0 IP address
left= 172.20.0.186
leftid= 172.20.0.186
# CMTS IP
right= 172.20.2.226
rightid= 172.20.2.226
keyexchange= ike
pfs= no
auto= start
conn sample1
type= transport
authby= secret
# Collector eth0 IP address
left= 172.20.0.181
leftid= 172.20.0.181
# CMTS IP
right= 172.20.2.226
rightid= 172.20.2.226
keyexchange= ike
pfs= no
auto= start
conn ubr
type=transport
authby=secret
# Collector eth0 IP address
left=172.20.0.181
leftid=172.20.0.181
# CMTS IP
right=172.29.1.1
rightid=172.29.1.1
keyexchange= ike
pfs= no
auto= start
conn ubr1
type=transport
authby=secret
# Collector eth0 IP address
left=172.20.0.186
leftid=172.20.0.186
# CMTS IP
right=172.29.1.1
rightid=172.29.1.1
keyexchange= ike
pfs= no
auto= start
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and
uncomment this.
include /etc/ipsec.d/*.conf
# This file is auto-generated. Do not modify.
conn host_0
authby=secret
auto=start
dpdaction=restart
dpddelay=10
dpdtimeout=20
ikelifetime=480s
keyexchange=ike
keylife=600s
left=172.20.2.167
leftid=172.20.2.167
pfs=no
rekeyfuzz=0%
rekeymargin=180s
right=172.20.2.226
rightid=172.20.2.226
type=transport
On 7/30/2012 7:08 PM, Muhammad El-Sergani wrote:
>
> Would be helpful as well if you could post your ipsec.conf file, as
> well as any includes.
>
> Sent from my Galaxy Tab
>
> On Jul 31, 2012 1:06 AM, "Muhammad El-Sergani" <msergani at gmail.com
> <mailto:msergani at gmail.com>> wrote:
>
> Hello Igor,
>
> I need to check my setup, this looks weird.
> Are you running IPSec from CLI or through command service?
>
> Also (and I'm. Of sure of that's normal or not, never checked) why
> are you having two identical processes for Pluto running? Both
> with different PIDs.
>
> Sent from my Galaxy Tab
>
> On Jul 31, 2012 12:54 AM, "Igor Lasic" <ilasic at yahoo.com
> <mailto:ilasic at yahoo.com>> wrote:
>
> Hello Muhammad, thanks for responding.
>
> I am seeing TCP port 3082 opened as in below. We have also
> tried with port 3081 and got the same result where pluto took it.
>
> Unfortunately we cannot guarantee the order in which services
> will start and cannot use other means such as SE security.
>
> netstat -nap | grep 3082
> *tcp 0 0 0.0.0.0:3082 <http://0.0.0.0:3082>
> 0.0.0.0:* LISTEN _7450_/sh*
> tcp 0 0 127.0.0.1:3082 <http://127.0.0.1:3082>
> 127.0.0.1:44259 <http://127.0.0.1:44259> SYN_RECV -
> tcp 0 0 127.0.0.1:3082 <http://127.0.0.1:3082>
> 127.0.0.1:44261 <http://127.0.0.1:44261> SYN_RECV -
> tcp 0 0 127.0.0.1:3082 <http://127.0.0.1:3082>
> 127.0.0.1:45281 <http://127.0.0.1:45281> SYN_RECV -
> tcp 349 0 127.0.0.1:3082 <http://127.0.0.1:3082>
> 127.0.0.1:49980 <http://127.0.0.1:49980> CLOSE_WAIT -
> tcp 345 0 127.0.0.1:3082 <http://127.0.0.1:3082>
> 127.0.0.1:34400 <http://127.0.0.1:34400> CLOSE_WAIT -
> tcp 343 0 127.0.0.1:3082 <http://127.0.0.1:3082>
> 127.0.0.1:49530 <http://127.0.0.1:49530> CLOSE_WAIT -
> tcp 0 345 127.0.0.1:44259 <http://127.0.0.1:44259>
> 127.0.0.1:3082 <http://127.0.0.1:3082> FIN_WAIT1 -
> tcp 0 329 127.0.0.1:44261 <http://127.0.0.1:44261>
> 127.0.0.1:3082 <http://127.0.0.1:3082> FIN_WAIT1 -
> tcp 0 329 127.0.0.1:45281 <http://127.0.0.1:45281>
> 127.0.0.1:3082 <http://127.0.0.1:3082> ESTABLISHED 25856/httpd
>
> root at lang-armagent-2a ~]# ps -ef | grep 7450
> root _*7450 *_1 0 Jul23 ? 00:00:00_*/bin/sh
> /usr/lib64/ipsec/_plutorun *_--debug --uniqueids yes
> --force_busy no --nocrsend no --strictcrlpolicy no
> --nat_traversal yes --keep_alive --protostack netkey
> --force_keepalive no --disable_port_floating no
> --virtual_private
> %v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> <http://10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12>
> --listen --crlcheckinterval 0 --ocspuri --nhelpers
> --secctx_attr_value --dump --opts --stderrlog --wait no
> --pre --post --log daemon.error --plutorestartoncrash true
> --pid /var/run/pluto/pluto.pid
> root 7452 7450 0 Jul23 ? 00:00:00 /bin/sh
> /usr/lib64/ipsec/_plutorun --debug --uniqueids yes
> --force_busy no --nocrsend no --strictcrlpolicy no
> --nat_traversal yes --keep_alive --protostack netkey
> --force_keepalive no --disable_port_floating no
> --virtual_private
> %v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12
> <http://10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12>
> --listen --crlcheckinterval 0 --ocspuri --nhelpers
> --secctx_attr_value --dump --opts --stderrlog --wait no
> --pre --post --log daemon.error --plutorestartoncrash true
> --pid /var/run/pluto/pluto.pid
> root 7455 7450 0 Jul23 ? 00:00:00 /bin/sh
> /usr/lib64/ipsec/_plutoload --wait no --post
> root 28674 3185 0 22:39 pts/0 00:00:00 grep 7450
>
> On 7/30/2012 6:29 PM, Muhammad El-Sergani wrote:
>>
>> Hello Igor, what's that port number?
>> This shouldn't happen I believe.
>>
>> Sent from my Galaxy Tab
>>
>> On Jul 31, 2012 12:28 AM, "Igor Lasic" <ilasic at yahoo.com
>> <mailto:ilasic at yahoo.com>> wrote:
>>
>> Hello everyone,
>>
>> I have a problem where openswan ipsec opens out a TCP
>> port when it starts that conflicts with our web service;.
>>
>> It appears the TCP port is not fixed as we've attempted
>> to use a different port and ipsec service still showed up
>> as listening on that port.
>>
>> Anyone know what is the port used for and can the port be
>> configured or can the "feature" be disabled?
>>
>> Thanks,
>>
>> Igor
>>
>>
>>
>> _______________________________________________
>> Users at lists.openswan.org <mailto:Users at lists.openswan.org>
>> https://lists.openswan.org/mailman/listinfo/users
>> Micropayments:
>> https://flattr.com/thing/38387/IPsec-for-Linux-made-easy
>> Building and Integrating Virtual Private Networks with
>> Openswan:
>> http://www.amazon.com/gp/product/1904811256/104-3099591-2946327?n=283155
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120730/3f0d8fd7/attachment-0001.html>
More information about the Users
mailing list