1

I am working on a Windows server application that will transfer sensitive information to another Windows server over a socket using an HTTPClient. The servers are supposed to be configured to use IPSec. So yay, I I don't have to do anything to setup the secure connection at the application level. However, I have been instructed to ensure that if the connection is using IPSec and abort if it is not.

How can I programmatically determine if the connection is indeed secured with IPSec? The application is C#, on Windows Server 2016. I am open to P/Invoke based solutions or C code if that is required to make this work. So long as it can ultimately work with a C# HttpClient class.

Moby Disk
  • 3,761
  • 1
  • 19
  • 38

1 Answers1

4

It is not application's concern and can't be done. The tunnel is transparent to application level users of the network stack. If you want the application to ensure that connection is encrypted and authenticated, use TLS. Otherwise it is up to the network/system administrators to make sure that policies are setup so that only ipsec traffic is allowed.

Imagine that you figure out a way to ensure that tunnel is setup by interrogating the OS in some way. And then in 2 years the system needs to be scaled up and IPSec termination is moved to dedicated hardware. Oops.

MK.
  • 33,605
  • 18
  • 74
  • 111
  • You could check if there's an active IPSec tunnel but you wouldn't be able to ensure if your socket is connected through it. – galister Feb 06 '17 at 14:18
  • well, I'm sure you could try to add lots of hackery; I've never setup ipsec on Widows, but on Linux you can get the list of connections, I think, and try to see if your connection appears to be one of them based on port #s, but that's just wrong. – MK. Feb 06 '17 at 14:21
  • The port of the IPSec connection, but not the destination port of the encapsulated packets, which will ultimately end up with your .NET endpoint. – galister Feb 06 '17 at 14:23
  • 1
    well, right. All I'm saying is that with some luck you might be able to hack something together by running some netsh commands and parsing their results, but "can" doesn't mean "should". – MK. Feb 06 '17 at 14:43
  • @MK. I will be on an LTSB branch of Windows, so there won't be any OS updates that I am not aware of. So hackery might be acceptable here. I was hoping for a WMI solution though, kinda like http://stackoverflow.com/questions/703225/ – Moby Disk Feb 06 '17 at 16:36