Linux – Specify IPSEC port range using ipsec-tools

ipseclinuxlinux-networking

Is it possible to require IPSEC on a port range ?
I want to require IPSEC for all incoming connections except a few public ports like 80 and 443, but don't want to restrict outgoing connections.

My SPD rules would look like:

spdadd 0.0.0.0/0 0.0.0.0/0[80] tcp -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0[443] tcp -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0[0....32767] tcp -P in esp/require/transport;

In setkey manpage I see IP ranges, but no mention of port ranges.

(The idea is to use IPSEC as a sort of VPN to protect internal communications between multiple servers. Instead of configuring permissions basing on source IPs, or configuring specific ports, I want to demand IPSEC on anything which is not meant to be public – I feel it's less error-prone this way.)

Best Answer

Yes, while you can indeed specify a IP range, there's no way to specify a port range. This means that you need to enter a rule for each port, or more simply you can use a script for that e.g.:

perl -e 'print "spdadd 0.0.0.0/0 0.0.0.0/0[$_] tcp -P in esp/require/transport;\n" for (1..32767)' >run.sh

I assume that those servers are not located in the same datacenter. This actually can cause serious efficiency problems, unless there's a fast connection between those servers and/or you choose a fast encryption algorithm for IPSEC.

Performance comparison of IPsec and TLS Based VPNs

Related Topic