Specify IPSEC port range using ipsec-tools

Posted by Sandman4 on Server Fault See other posts from Server Fault or by Sandman4
Published on 2012-11-04T16:04:45Z Indexed on 2012/11/04 17:03 UTC
Read the original article Hit count: 719

Filed under:
|
|

Is it possible to require IPSEC on a port range ? I want to require IPSEC for all incoming connections except a few public ports like 80 and 443, but don't want to restrict outgoing connections.

My SPD rules would look like:

spdadd 0.0.0.0/0 0.0.0.0/0[80] tcp -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0[443] tcp -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0[0....32767] tcp -P in esp/require/transport;

In setkey manpage I see IP ranges, but no mention of port ranges.

(The idea is to use IPSEC as a sort of VPN to protect internal communications between multiple servers. Instead of configuring permissions basing on source IPs, or configuring specific ports, I want to demand IPSEC on anything which is not meant to be public - I feel it's less error-prone this way.)

© Server Fault or respective owner

Related posts about linux

Related posts about linux-networking