On Tue, 31 May 2016, Michael Furman wrote:
Unfortunately I can not use iptables.
The request to the server can come both from the IPSec channel and from an end
user UI via other port (443).
The question if I can somehow to recognize on the server that the request come from the IPSec channel
(that is passes IPsec encryption).
If you use the new VTI feature, you can tell by the packet emerging from
the vti device instead of emerging from the physical device. It requires
a modern iproute version that supports "mode vti".
See: https://libreswan.org/wiki/Route-based_VPN_using_VTI
Paul
> From: [email protected]
> Date: Sun, 29 May 2016 14:32:04 -0400
> To: [email protected]
> CC: [email protected]; [email protected]
> Subject: Re: [Swan] How to recognize an HTTP request that passes through the
IPSec channel?
>
> On Sun, May 29, 2016 at 02:13:19PM -0400, Paul Wouters wrote:
> > You can limit the tunnel to only allow port 80 traffic using
leftprotoport=tcp/80 and rightprotoport=tcp/0
> >
> > But then you still need to be sure unencrypted traffic is blocked if that's
what you want to happen.
>
> And of course HTTP traffic on a different port won't work. That would
> require a much more advanced way to recognize the protocol, and in fact
> iptables may in fact be the right tool for that.
>
> --
> Len Sorensen
_______________________________________________
Swan mailing list
[email protected]
https://lists.libreswan.org/mailman/listinfo/swan
