IPsec flow portrange problem
Hi, I am trying to setup IPsec and also exclude some parts from getting processed by IPsec. In IPSEC.CONF(5) the description says [...] from src [port sport] to dst [port dport] [...] The optional port modifiers restrict the flows to the specified ports [...] It is possible to supply multiple src and dst adresses if inside {}. However, I also would like to add a portrange instead of having to manually write one entry for every flow, but it seems that it is only possible to add one single port. Is that right? Did someone manage to add a portrange? I would need something like: flow esp proto udp from X.X.X.X to Y.Y.Y.Y port 5000:5050 type bypass Thanks in advance, Michael
Re: IPsec flow portrange problem
AFAIK it's not supported in IKE, so it's not supported in ipsec.conf On Thu, Sep 04, 2008 at 10:37:25AM +0200, Michael wrote: Hi, I am trying to setup IPsec and also exclude some parts from getting processed by IPsec. In IPSEC.CONF(5) the description says [...] from src [port sport] to dst [port dport] [...] The optional port modifiers restrict the flows to the specified ports [...] It is possible to supply multiple src and dst adresses if inside {}. However, I also would like to add a portrange instead of having to manually write one entry for every flow, but it seems that it is only possible to add one single port. Is that right? Did someone manage to add a portrange? I would need something like: flow esp proto udp from X.X.X.X to Y.Y.Y.Y port 5000:5050 type bypass Thanks in advance, Michael
Re: IPsec flow portrange problem
Hi, thanks for your answer. Markus Friedl schrieb: AFAIK it's not supported in IKE, so it's not supported in ipsec.conf Something like port { 1000 1001 ... } would be nice too, but also doesn't seem to work. It works for from/to { IP1 IP2 ... } though. At least I did not manage to set it up like that with port. If that currently also isn't possible, it would be a nice to have feature for a cleaner ipsec.conf file. Automatic expansion of port ranges would be even better... :-) Michael