In our deployment we have two servers. I want to connect it via host to host VPN: Host-To-Host VPN Using Openswan
On one server we have JMS broker on the second server we have JMS client and I want allow access to JMS broker only if it is pass via IPSec channel (JMS broker and client is only for the example).
Is it possible to check that packets pass via IPSec channel?
you can filter packets based on specific fields ipsec. For example, you can use the different modules offered by iptables with the -m option or --match:
http://linux.die.net/man/8/iptables, see Match extensions
policy
This modules matches the policy used by IPsec for handling a packet.
--dir in|out
Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation. in is valid in the PREROUTING, INPUT and FORWARD chains, out is valid in the POSTROUTING, OUTPUT and FORWARD chains.
--pol none|ipsec
Matches if the packet is subject to IPsec processing.
--strict
Selects whether to match the exact policy or match if any rule of the policy matches the given policy.
--reqid id
Matches the reqid of the policy rule. The reqid can be specified with setkey(8) using unique:id as level.
--spi spi
Matches the SPI of the SA.
--proto ah|esp|ipcomp
Matches the encapsulation protocol.
--mode tunnel|transport
Matches the encapsulation mode.
--tunnel-src addr[/mask]
Matches the source end-point address of a tunnel mode SA. Only valid with --mode tunnel.
--tunnel-dst addr[/mask]
Matches the destination end-point address of a tunnel mode SA. Only valid with --mode tunnel.
--next
Start the next element in the policy specification. Can only be used with --strict
