[Openswan Users] Issue with openswan opening a TCP port that conflicts with another service

Daniel Cave dan.cave at me.com
Tue Jul 31 07:59:37 EDT 2012 

Hi Igor, Muhammad,

The output from Igor's netstat shows that Pluto is listening on port 3082, and at the same time receiving SYN packets from localhost on ports 44259 upwards..  (quite why i'm not sure)  This explains the additional processes spawned from the main pluto process.

My own Openswan ipsec config on my Centos5.x box shows Pluto listening on port 4500 (which is default) along with port 500 for IKE/phase 1 auth

[root at fcs01 ~]# netstat -npa|grep plu
udp        0      0 127.0.0.1:4500              0.0.0.0:*                               3806/pluto
udp        0      0 10.23.50.68:4500          0.0.0.0:*                               3806/pluto
udp        0      0 10.49.73.1:4500             0.0.0.0:*                               3806/pluto
udp        0      0 127.0.0.1:500               0.0.0.0:*                               3806/pluto
udp        0      0 10.23.50.68:500           0.0.0.0:*                               3806/pluto
udp        0      0 10.49.73.1:500              0.0.0.0:*                               3806/pluto
udp        0      0 ::1:500                     :::*                                    3806/pluto

Igor, I would hazard a guess that someone has edited your config (/etc/ipsec.d/ipsec.conf) 

Are doing port forwarding at your boundary router for IPsec connections and doing NAT by forward packets to your ipsec device/linux host - which is listening on ?


> On Jul 31, 2012 12:54 AM, "Igor Lasic" <ilasic at yahoo.com> wrote:
>
>     Hello Muhammad, thanks for responding.
>
>     I am seeing TCP port 3082 opened as in below. We have also tried with port 3081 and got the same result where pluto took it.
 
This part is most interesting.....you have a _lot_ of connections coming from localhost to localhost:3082 - since there are sys_received, close_wait and fin_wait packets, it implies that either Apache/httpd is configured to talk to Ipsecd or one of your config's is messed up badly.

Time to get tcpdump and wireshark out and capture your traffic - first I would check network configs and stop ipsec and see what your apps are doing.
>
>
>     Unfortunately we cannot guarantee the order in which services will start and cannot use other means such as SE security.
>
>     netstat -nap | grep 3082
>     tcp        0      0 0.0.0.0:3082                0.0.0.0:*                   LISTEN      7450/sh
>     tcp        0      0 127.0.0.1:3082              127.0.0.1:44259             SYN_RECV    -
>     tcp        0      0 127.0.0.1:3082              127.0.0.1:44261             SYN_RECV    -
>     tcp        0      0 127.0.0.1:3082              127.0.0.1:45281             SYN_RECV    -
>     tcp      349      0 127.0.0.1:3082              127.0.0.1:49980             CLOSE_WAIT  -
>     tcp      345      0 127.0.0.1:3082              127.0.0.1:34400             CLOSE_WAIT  -
>     tcp      343      0 127.0.0.1:3082              127.0.0.1:49530             CLOSE_WAIT  -
>     tcp        0    345 127.0.0.1:44259             127.0.0.1:3082              FIN_WAIT1   -
>     tcp        0    329 127.0.0.1:44261             127.0.0.1:3082              FIN_WAIT1   -
>     tcp        0    329 127.0.0.1:45281             127.0.0.1:3082              ESTABLISHED 25856/httpd
>
>     root at lang-armagent-2a ~]# ps -ef | grep 7450
>     root      7450     1  0 Jul23 ?        00:00:00 /bin/sh /usr/lib64/ipsec/_plutorun --debug  --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive  --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12 --listen  --crlcheckinterval 0 --ocspuri  --nhelpers  --secctx_attr_value  --dump  --opts  --stderrlog  --wait no --pre  --post  --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
>     root      7452  7450  0 Jul23 ?        00:00:00 /bin/sh /usr/lib64/ipsec/_plutorun --debug  --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive  --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12 --listen  --crlcheckinterval 0 --ocspuri  --nhelpers  --secctx_attr_value  --dump  --opts  --stderrlog  --wait no --pre  --post  --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
>     root      7455  7450  0 Jul23 ?        00:00:00 /bin/sh /usr/lib64/ipsec/_plutoload --wait no --post
>     root     28674  3185  0 22:39 pts/0    00:00:00 grep 7450
>
>     On 7/30/2012 6:29 PM, Muhammad El-Sergani wrote:
>>
>>     Hello Igor, what's that port number?
>>     This shouldn't happen I believe.
>>
>>     Sent from my Galaxy Tab
>>     On Jul 31, 2012 12:28 AM, "Igor Lasic" <ilasic at yahoo.com> wrote:
>>
>>         Hello everyone,
>>
>>         I have a problem where openswan ipsec opens out a TCP port when it starts that conflicts with our web service;.
>>
>>         It appears the TCP port is not fixed as we've attempted to use a different port and ipsec service still showed up as listening on that port.
>>
>>         Anyone know what is the port used for and can the port be configured or can the "feature" be disabled?
>>
>>         Thanks,
>>
>>         Igor
>>
>>
>>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120731/210e5805/attachment.html>

More information about the Users mailing list