Home > linux > Specify IPSEC port range using ipsec-tools

Specify IPSEC port range using ipsec-tools

November 4Hits:2

Is it possible to require IPSEC on a port range ? I want to require IPSEC for all incoming connections except a few public ports like 80 and 443, but don't want to restrict outgoing connections.

My SPD rules would look like:

spdadd[80] tcp -P in none; spdadd[443] tcp -P in none; spdadd[0....32767] tcp -P in esp/require/transport; 

In setkey manpage I see IP ranges, but no mention of port ranges.

(The idea is to use IPSEC as a sort of VPN to protect internal communications between multiple servers. Instead of configuring permissions basing on source IPs, or configuring specific ports, I want to demand IPSEC on anything which is not meant to be public - I feel it's less error-prone this way.)


Yes, while you can indeed specify a IP range, there's no way to specify a port range. This means that you need to enter a rule for each port, or more simply you can use a script for that e.g.:

perl -e 'print "spdadd[$_] tcp -P in esp/require/transport;\n" for (1..32767)' >run.sh

I assume that those servers are not located in the same datacenter. This actually can cause serious efficiency problems, unless there's a fast connection between those servers and/or you choose a fast encryption algorithm for IPSEC.

Performance comparison of IPsec and TLS Based VPNs

Related Articles

  • Specify IPSEC port range using ipsec-toolsNovember 4

    Is it possible to require IPSEC on a port range ? I want to require IPSEC for all incoming connections except a few public ports like 80 and 443, but don't want to restrict outgoing connections. My SPD rules would look like: spdadd

  • ASA site-to-site IPSec vpn to linux ipsec-tools endpoints stops working after a random period of timeApril 16

    We swapped to ASA's over the weekend, and we replaced our VPN infrastructure which was previously based on openvpn and are now using IPSec between our ASA 5520's and our other sites that have linux (CentOS) routers. The VPNs connect just fine, but af

  • Why does FTP passive mode require a port range as opposed to only one port?May 17

    I'm struggling to come to grasp with why all FTP servers requires the use of a port range for passive mode data channels as opposed to only using one data port for all incoming data channel connections. FTP servers handle many simultaneously connecte

  • Where can I find a working port range scanner?October 18

    Either for win32 or Python. There are so many port scanner python scripts and NONE of them work without some python knowledge. If you're going to post a port scanner py script please test it. Angry IP scanner does not do single hosts with large port

  • MS SQL Server Dynamic Port RangeJuly 2

    I understand that a SQL server named instance will default to dynamic ports, and I know HOW to change that to a static IP: http://blogs.msdn.com/b/sqlserverfaq/archive/2008/06/02/how-to-change-the-dynamic-port-of-the-sql-server-named-instance-to-an-s

  • How to match port range using u32 filterFebruary 6

    with "u32 match ip sport 80" in Linux tc I can match port 80, but how can I match a port range 10000 - 20000 ? --------------Solutions------------- You can use mask, but it difficult: u32 match ip sport 4096 0xf000 = sport 4096-8191 u32 match ip

  • local ports range redirection to corresponding addresses range using iptablesMarch 4

    So i have this linux router, that has 2000 differents ips. And i want to redirect local source ports between 10001 and 12000 linearly from source addresses in the subnet So that would means, localhost:10001 has the source address 192.1

  • Restrict Port range to a userAugust 29

    On a server with several users I'm looking to reserve port ranges so that only one user has access to a specific port range, IE user1: 2000-2005 user2: 2006,3003 user3: 1025 In doing so, an application spawned by that user can only access ports allot

  • Why doesn't IIS 7.5 FTP respect the passive port range for plain ftp?September 10

    I struggled with the whole passive port range deal on IIS 7.0 tonight. I finally realized that it apparently only applies to FTP/ES or FTP/IS. When I try to do plain ftp, it assigns whatever the heck port number it wants when responding to a PORT req

  • Forwarding large port range to machine inside networkDecember 13

    I have router with public IP addres. What security breach (if any) am I creating by forwarding large port range (high port numbers only - above 50000) to one of computers inside network. All ports on destination computer are closed most of the time.

  • ispconfig vs firewall port rangeMarch 15

    hi i've configured the pure-ftpd to use passive port range (49500:49750) behind firewall, but if i've tried to add this range to firewall in ispconfig then added the first port (49500) of range only to bastille config and not the range. cat /etc/pure

  • APF - allow_hosts.rules - Port Ranges April 2

    I am running into a problem trying to specify that webmin can only be accessed from my private IP. But I can get the port ranges to correctly work. I am using this in the allow_hosts.rules file. tcp:in:d=10000:s={IP HIDDEN} tcp:in:d=30000_35000:s={IP

  • Unable to increase the dynamic port range on Windows Server 2008May 2

    I'm trying to "tune" the TCP/IP stack on some Windows Server 2008 machines by following the instructions here: http://www.outsystems.com/NetworkForums/ViewTopic.aspx?TopicId=6956&Topic=How-to-tune-the-TCP%2FIP-stack-for-high-volume-of-web-re

  • Why doesn't Linux use the IANA Ephemeral port range?May 30

    According to Wikipedia The Internet Assigned Numbers Authority (IANA) suggests the range 49152 to 65535 for dynamic or private ports. Many Linux kernels use the port range 32768 to 61000. Even though there seems to be some historical deviation from I

  • ISPConfig Firewall Bastille udp port range

    ISPConfig Firewall Bastille udp port rangeJune 13

    Hello @ll, i read in the forum that can port ranges define at 2000:2100. But can also udp port ranges define at the ISPConfigWebsite? I insert the udp port range "27000:27015" and after select the OK button the port range was "27000:2701&qu

  • Should we increase local port range limit on busy memcached serversJune 23

    nixcraft has a tutorial on configuring memcached server(link) at the end says: For busy memcached server you need to increase system file descriptor and IP port limits here is the code to do so: # Increase system IP port limits net.ipv4.ip_local_port

  • Firewall Port range?August 21

    ISPconfigs Firewall adding Port range? Hey! I just installed GLFTPd. The site is working fine when I have the firewall turned off because of the passive ports, but when I turn it on I can't list anymore. So I added the correct line(s) in the config t

  • FTP passive mode with limited port range?December 13

    I am running FileZilla FTP Server with passive mode enabled, and due to firewall constraints I have to limit the passive mode port range to only 6 ports. How would FileZilla handle any situation where more than 6 concurrent FTP connections are active

  • [ISPConfig3] Firewall port rangeFebruary 17

    So, I have a short question. How to open some port range in ISPC3? When I input ports like xxx:yyy I get ERROR 1. tcp_ports_error_regex Should I use some other syntax? Or is it disabled? I remember it was possible in ISPC2. --------------Solutions---

  • How do I route a port range in a linux host to a guest VM?May 10

    I am trying to redirect a certain port range in a linux host to one of its guest VMs. I would like for this redirection to apply to all the host's interfaces, including localhost. I was able to do: iptables -I FORWARD -m state -d --s

Copyright (C) 2018 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.618 s.