Is it possible to require IPSEC on a port range ?
I want to require IPSEC for all incoming connections except a few public ports like 80 and 443, but don't want to restrict outgoing connections.
My SPD rules would look like:
spdadd 0.0.0.0/0 0.0.0.0/0[80] tcp -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0[443] tcp -P in none;
spdadd 0.0.0.0/0 0.0.0.0/0[0....32767] tcp -P in esp/require/transport;
In setkey
manpage I see IP ranges, but no mention of port ranges.
(The idea is to use IPSEC as a sort of VPN to protect internal communications between multiple servers. Instead of configuring permissions basing on source IPs, or configuring specific ports, I want to demand IPSEC on anything which is not meant to be public – I feel it's less error-prone this way.)
Best Answer
Yes, while you can indeed specify a IP range, there's no way to specify a port range. This means that you need to enter a rule for each port, or more simply you can use a script for that e.g.:
I assume that those servers are not located in the same datacenter. This actually can cause serious efficiency problems, unless there's a fast connection between those servers and/or you choose a fast encryption algorithm for IPSEC.
Performance comparison of IPsec and TLS Based VPNs