IPsec flow portrange problem

2008-09-04 Thread Michael 

Hi,

I am trying to setup IPsec and also exclude some parts from getting 
processed by IPsec.


In IPSEC.CONF(5) the description says

[...]
from src [port sport] to dst [port dport]
[...]
The optional port modifiers restrict the flows to the specified ports
[...]

It is possible to supply multiple src and dst adresses if inside {}.

However, I also would like to add a portrange instead of having to 
manually write one entry for every flow, but it seems that it is only 
possible to add one single port.


Is that right? Did someone manage to add a portrange?

I would need something like:
flow esp proto udp from X.X.X.X to Y.Y.Y.Y port 5000:5050 type bypass


Thanks in advance,
Michael

Re: IPsec flow portrange problem

2008-09-04 Thread Markus Friedl 
AFAIK it's not supported in IKE, so it's not supported in ipsec.conf

On Thu, Sep 04, 2008 at 10:37:25AM +0200, Michael wrote:
 Hi,
 
 I am trying to setup IPsec and also exclude some parts from getting 
 processed by IPsec.
 
 In IPSEC.CONF(5) the description says
 
 [...]
 from src [port sport] to dst [port dport]
 [...]
 The optional port modifiers restrict the flows to the specified ports
 [...]
 
 It is possible to supply multiple src and dst adresses if inside {}.
 
 However, I also would like to add a portrange instead of having to 
 manually write one entry for every flow, but it seems that it is only 
 possible to add one single port.
 
 Is that right? Did someone manage to add a portrange?
 
 I would need something like:
 flow esp proto udp from X.X.X.X to Y.Y.Y.Y port 5000:5050 type bypass
 
 
 Thanks in advance,
 Michael

Re: IPsec flow portrange problem

2008-09-04 Thread Michael 

Hi,

thanks for your answer.

Markus Friedl schrieb:

AFAIK it's not supported in IKE, so it's not supported in ipsec.conf


Something like port { 1000 1001 ... } would be nice too, but also 
doesn't seem to work. It works for from/to { IP1 IP2 ... } though. At 
least I did not manage to set it up like that with port.


If that currently also isn't possible, it would be a nice to have 
feature for a cleaner ipsec.conf file. Automatic expansion of port 
ranges would be even better... :-)



Michael