[LARTC] How to recognize a IPSEC packet ?

[LARTC] How to recognize a IPSEC packet ?

[Franck BALAZOT]

Hi all,

I want to make bandwidth management with CBQ (iproute2)
There is no problem to manage service like FTP, HTTP,...
We have an IPSEC VPN here, and I don't know how to reconignize IPSEC
packets to manage the VPN bandwith.
Is there a special port or something in the IP packet header that tells
"here is an IPSEC packet" ?

Thanks,
------------------------------------------------
Franck BALAZOT (fbalazot@aeta.fr)
AETA.COM
361, Avenue du Général De Gaulle
92140 CLAMART
FRANCE
Tél:01.41.36.12.93
------------------------------------------------



_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] How to recognize a IPSEC packet ?

[Mike Fedyk]

On Mon, Jul 09, 2001 at 04:30:37PM +0200, Franck BALAZOT wrote:
> Hi all,
> 
> I want to make bandwidth management with CBQ (iproute2)
> There is no problem to manage service like FTP, HTTP,...
> We have an IPSEC VPN here, and I don't know how to reconignize IPSEC
> packets to manage the VPN bandwith.
> Is there a special port or something in the IP packet header that tells
> "here is an IPSEC packet" ?
> 

Yep, ipsec normally uses IP Protocol 50 or 51 depending on other
factors...

These numbers aren't ports, but protocols on the same level of tcp and
udp.

ipchains -A input -m 1 -p 50 (or some such...)

Mike

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Re: [LARTC] How to recognize a IPSEC packet ?

[Raffaele Brancaleoni]

Franck BALAZOT wrote:

> Hi all,
>
> I want to make bandwidth management with CBQ (iproute2)
> There is no problem to manage service like FTP, HTTP,...
> We have an IPSEC VPN here, and I don't know how to reconignize IPSEC
> packets to manage the VPN bandwith.
> Is there a special port or something in the IP packet header that tells
> "here is an IPSEC packet" ?
>
> Thanks,
> ------------------------------------------------
> Franck BALAZOT (fbalazot@aeta.fr)
> AETA.COM
> 361, Avenue du Général De Gaulle
> 92140 CLAMART
> FRANCE
> Tél:01.41.36.12.93
> ------------------------------------------------
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/

Hi,

From what I remember, IPSec use port 500 TCP for IKE & protocol-ids for IPSec
trafic are
50 (ESP) / 51 (AH) (stored in IP Header). This should allow you to recognize the
IPSec
traffic with u32 filters.

Hope this help !

Later,

Raffaele.

--
____________________________________________________________________________
Raffaele Brancaleoni                       Email : s940195@student.ulg.ac.be
Licence en Informatique
Université de Liège - Belgique
____________________________________________________________________________




_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://ds9a.nl/2.4Routing/