[Openswan Users] Issue with openswan opening a TCP port that conflicts with another service
Daniel Cave
dan.cave at me.com
Tue Jul 31 07:59:37 EDT 2012
Hi Igor, Muhammad,
The output from Igor's netstat shows that Pluto is listening on port 3082, and at the same time receiving SYN packets from localhost on ports 44259 upwards.. (quite why i'm not sure) This explains the additional processes spawned from the main pluto process.
My own Openswan ipsec config on my Centos5.x box shows Pluto listening on port 4500 (which is default) along with port 500 for IKE/phase 1 auth
[root at fcs01 ~]# netstat -npa|grep plu
udp 0 0 127.0.0.1:4500 0.0.0.0:* 3806/pluto
udp 0 0 10.23.50.68:4500 0.0.0.0:* 3806/pluto
udp 0 0 10.49.73.1:4500 0.0.0.0:* 3806/pluto
udp 0 0 127.0.0.1:500 0.0.0.0:* 3806/pluto
udp 0 0 10.23.50.68:500 0.0.0.0:* 3806/pluto
udp 0 0 10.49.73.1:500 0.0.0.0:* 3806/pluto
udp 0 0 ::1:500 :::* 3806/pluto
Igor, I would hazard a guess that someone has edited your config (/etc/ipsec.d/ipsec.conf)
Are doing port forwarding at your boundary router for IPsec connections and doing NAT by forward packets to your ipsec device/linux host - which is listening on ?
> On Jul 31, 2012 12:54 AM, "Igor Lasic" <ilasic at yahoo.com> wrote:
>
> Hello Muhammad, thanks for responding.
>
> I am seeing TCP port 3082 opened as in below. We have also tried with port 3081 and got the same result where pluto took it.
This part is most interesting.....you have a _lot_ of connections coming from localhost to localhost:3082 - since there are sys_received, close_wait and fin_wait packets, it implies that either Apache/httpd is configured to talk to Ipsecd or one of your config's is messed up badly.
Time to get tcpdump and wireshark out and capture your traffic - first I would check network configs and stop ipsec and see what your apps are doing.
>
>
> Unfortunately we cannot guarantee the order in which services will start and cannot use other means such as SE security.
>
> netstat -nap | grep 3082
> tcp 0 0 0.0.0.0:3082 0.0.0.0:* LISTEN 7450/sh
> tcp 0 0 127.0.0.1:3082 127.0.0.1:44259 SYN_RECV -
> tcp 0 0 127.0.0.1:3082 127.0.0.1:44261 SYN_RECV -
> tcp 0 0 127.0.0.1:3082 127.0.0.1:45281 SYN_RECV -
> tcp 349 0 127.0.0.1:3082 127.0.0.1:49980 CLOSE_WAIT -
> tcp 345 0 127.0.0.1:3082 127.0.0.1:34400 CLOSE_WAIT -
> tcp 343 0 127.0.0.1:3082 127.0.0.1:49530 CLOSE_WAIT -
> tcp 0 345 127.0.0.1:44259 127.0.0.1:3082 FIN_WAIT1 -
> tcp 0 329 127.0.0.1:44261 127.0.0.1:3082 FIN_WAIT1 -
> tcp 0 329 127.0.0.1:45281 127.0.0.1:3082 ESTABLISHED 25856/httpd
>
> root at lang-armagent-2a ~]# ps -ef | grep 7450
> root 7450 1 0 Jul23 ? 00:00:00 /bin/sh /usr/lib64/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12 --listen --crlcheckinterval 0 --ocspuri --nhelpers --secctx_attr_value --dump --opts --stderrlog --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
> root 7452 7450 0 Jul23 ? 00:00:00 /bin/sh /usr/lib64/ipsec/_plutorun --debug --uniqueids yes --force_busy no --nocrsend no --strictcrlpolicy no --nat_traversal yes --keep_alive --protostack netkey --force_keepalive no --disable_port_floating no --virtual_private %v4:10.0.0.0/8,%v4:192.168.0.0/16,%4:172.16.0.0/12 --listen --crlcheckinterval 0 --ocspuri --nhelpers --secctx_attr_value --dump --opts --stderrlog --wait no --pre --post --log daemon.error --plutorestartoncrash true --pid /var/run/pluto/pluto.pid
> root 7455 7450 0 Jul23 ? 00:00:00 /bin/sh /usr/lib64/ipsec/_plutoload --wait no --post
> root 28674 3185 0 22:39 pts/0 00:00:00 grep 7450
>
> On 7/30/2012 6:29 PM, Muhammad El-Sergani wrote:
>>
>> Hello Igor, what's that port number?
>> This shouldn't happen I believe.
>>
>> Sent from my Galaxy Tab
>> On Jul 31, 2012 12:28 AM, "Igor Lasic" <ilasic at yahoo.com> wrote:
>>
>> Hello everyone,
>>
>> I have a problem where openswan ipsec opens out a TCP port when it starts that conflicts with our web service;.
>>
>> It appears the TCP port is not fixed as we've attempted to use a different port and ipsec service still showed up as listening on that port.
>>
>> Anyone know what is the port used for and can the port be configured or can the "feature" be disabled?
>>
>> Thanks,
>>
>> Igor
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openswan.org/pipermail/users/attachments/20120731/210e5805/attachment.html>
More information about the Users
mailing list