[Swan] How to recognize an HTTP request that passes through the IPSec channel?
Paul Wouters
paul at nohats.ca
Wed Jun 1 15:58:39 UTC 2016
On Tue, 31 May 2016, Michael Furman wrote:
> Unfortunately I can not use iptables.
>
> The request to the server can come both from the IPSec channel and from an end user UI via other port (443).
>
> The question if I can somehow to recognize on the server that the request come from the IPSec channel
> (that is passes IPsec encryption).
If you use the new VTI feature, you can tell by the packet emerging from
the vti device instead of emerging from the physical device. It requires
a modern iproute version that supports "mode vti".
See: https://libreswan.org/wiki/Route-based_VPN_using_VTI
Paul
>
> > From: lsorense at csclub.uwaterloo.ca
> > Date: Sun, 29 May 2016 14:32:04 -0400
> > To: paul at nohats.ca
> > CC: michael_furman at hotmail.com; swan at lists.libreswan.org
> > Subject: Re: [Swan] How to recognize an HTTP request that passes through the IPSec channel?
> >
> > On Sun, May 29, 2016 at 02:13:19PM -0400, Paul Wouters wrote:
> > > You can limit the tunnel to only allow port 80 traffic using leftprotoport=tcp/80 and rightprotoport=tcp/0
> > >
> > > But then you still need to be sure unencrypted traffic is blocked if that's what you want to happen.
> >
> > And of course HTTP traffic on a different port won't work. That would
> > require a much more advanced way to recognize the protocol, and in fact
> > iptables may in fact be the right tool for that.
> >
> > --
> > Len Sorensen
>
>
More information about the Swan
mailing list