Specify IPSEC port range using ipsec-tools
Posted
by
Sandman4
on Server Fault
See other posts from Server Fault
or by Sandman4
Published on 2012-11-04T16:04:45Z
Indexed on
2012/11/04
17:03 UTC
Read the original article
Hit count: 719
Is it possible to require IPSEC on a port range ? I want to require IPSEC for all incoming connections except a few public ports like 80 and 443, but don't want to restrict outgoing connections.
My SPD rules would look like:
spdadd 0.0.0.0/0 0.0.0.0/0[80] tcp -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0[443] tcp -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0[0....32767] tcp -P in esp/require/transport;
In setkey
manpage I see IP ranges, but no mention of port ranges.
(The idea is to use IPSEC as a sort of VPN to protect internal communications between multiple servers. Instead of configuring permissions basing on source IPs, or configuring specific ports, I want to demand IPSEC on anything which is not meant to be public - I feel it's less error-prone this way.)
© Server Fault or respective owner