Specify IPSEC port range using ipsec-tools

Posted by Sandman4 on Server Fault See other posts from Server Fault or by Sandman4
Published on 2012-11-04T16:04:45Z Indexed on 2012/11/04 17:03 UTC
Read the original article Hit count: 663

Filed under:

linux

|

linux-networking

|

ipsec

Is it possible to require IPSEC on a port range ? I want to require IPSEC for all incoming connections except a few public ports like 80 and 443, but don't want to restrict outgoing connections.

My SPD rules would look like:

spdadd 0.0.0.0/0 0.0.0.0/0[80] tcp -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0[443] tcp -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0[0....32767] tcp -P in esp/require/transport;

In setkey manpage I see IP ranges, but no mention of port ranges.

(The idea is to use IPSEC as a sort of VPN to protect internal communications between multiple servers. Instead of configuring permissions basing on source IPs, or configuring specific ports, I want to demand IPSEC on anything which is not meant to be public - I feel it's less error-prone this way.)

© Server Fault or respective owner

Related posts about linux

apt-get install and update fail

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I've got a problem with apt-get update and apt-get install ... commands . every time update or installing fails and errors are : Get:1 http://dl.google.com stable Release.gpg [198B] Ign http://dl.google.com/linux/chrome/deb/ stable/main Translation-en_US Get:2 http://dl… >>> More
kernel module compiling error

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
sh@ubuntu:/home/ccpp/helloworld$ make gcc-4.6 -O2 -DMODULE -D_KERNEL_ -W -Wall -Wstrict-prototypes -Wmissing-prototypes -isystem /lib/modules/`uname -r`/build/include -c -o hello-1.o hello-1.c hello-1.c:4:0: warning: "MODULE" redefined [enabled by default] <command-line>:0:0: note: this is… >>> More
Build-Essentials installation failing

as seen on Ask Ubuntu - Search for 'Ask Ubuntu'
I am having trouble accessing the several critical header files that show to be a part of the build process. The "Ubuntu Software Center" shows "Build Essentials" as installed: Next I did the following two commands, which did not improve the problem: ~$ sudo apt-get install build-essential [sudo]… >>> More
Updating Debian kernel

as seen on Super User - Search for 'Super User'
I'm trying to update my Debian machine to 2.6.32-46 (which is the new stable). However, after doing apt-get update my apt-cache search linux-image shows me: linux-headers-2.6.32-5-486 - Header files for Linux 2.6.32-5-486 linux-headers-2.6.32-5-686-bigmem - Header files for Linux 2.6.32-5-686-bigmem linux-headers-2… >>> More
Serial connection over a single USB cable (Windows to linux, or linux to linux)

as seen on Server Fault - Search for 'Server Fault'
I'm helping out with a project for an embedded device that only has USB and no serial. This device is running Linux. These days, when we need to connect to a serial port on a device we typically use a USB to serial adapter (on something like a phone system or a load balancing device, etc). I would… >>> More

Related posts about linux-networking

Tutorial: 7 Useful Linux Networking Commands

as seen on Internet.com - Search for 'Internet.com'
Eric Geier introduces us to to seven powerful commands for troubleshooting and configuring Linux networking, both wired and wireless. >>> More
Linux networking "jail" for a single process

as seen on Server Fault - Search for 'Server Fault'
I need to tune up a networking app for network specific things like: make it use a DNS server different than the default one from /etc/resolv.conf make sure it does not try to connect to certain hosts/ports using tcp/udp connections I know I can get away with just modifying /etc/resolv.conf and… >>> More
What do "Unknown SSAP" and "Unknown DSAP" mean in tcpdump?

as seen on Server Fault - Search for 'Server Fault'
While trying to fix a problem with intermittently losing internet connection on a machine with a wireless connection to a router, I ran tcpdump and noticed packets with "Unknown SSAP" and "Unknown DSAP" errors coming at a rate of a few per second. 20:27:21.703178 00:24:a5:af:24:f6 (oui Unknown) Unknown… >>> More
Dual NIC Networking CentOS 5.3 (losing connection)

as seen on Server Fault - Search for 'Server Fault'
I have a CentOS System with two NICs on it. One is Ethernet the other is Wireless. The Ethernet has an address of 192.168.1.110 and is tied to a LAN. (The LAN provides DHCP and DNS for its domain of 192.168.1.*) The Wireless card should have an address of 131.238.. and is tied to the WAN. For… >>> More
Linux e1000e (Intel networking driver) problems galore, where do I start?

as seen on Server Fault - Search for 'Server Fault'
I'm currently having a major problem with e1000e (not working at all) in Ubuntu Maverick (1.0.2-k4), after resume I'm getting a lot of stuff in dmesg: [ 9085.820197] e1000e 0000:02:00.0: PCI INT A disabled [ 9089.907756] e1000e: Intel(R) PRO/1000 Network Driver - 1.0.2-k4 [ 9089.907762] e1000e: Copyright… >>> More