使用WFP进行IPsec数据包转发 [英] IPsec packet forwarding using WFP

问题描述

您好，

我正在使用函数  FwpmIPsecTunnelAdd0（）来建立IPsec隧道。

当收到并解密IPsec数据包时，如何使用WFP API将解密后的数据包转发到其他端口和IP地址？我是否必须读取解密的数据包，将原始数据包重新组合成一个包含转发
端口和IP地址的新数据包，然后发送新数据包？是否有可以自动执行这些步骤的设置？

谢谢

解决方案

您将在FWPM< _LAYER_INBOUND_TRANSPORT以及加权低于IPsec的子图层（< 0x7FFF）的子图层中进行标注。 然后，您需要克隆原始NBL，从IPHeader中删除IPsec信息（IPsec将AH和ESP信息留在
中），修改带有新目标地址的IP标头，修改传输标头使用新端口，重新计算传输校验和，重新计算IP校验和，删除/吸收原始数据并注入克隆。

希望他的帮助，

Hello,

I am using the function FwpmIPsecTunnelAdd0() to establish an IPsec Tunnel.

When an IPsec packet is received and decrypted, how can I use WFP API to forward the decrypted packet to a different port and IP address? Do I have to read the decrypted packet, re-assemble the original packet into a new packet that includes the forwarding port and IP address, and then send the new packet? Is there a setting that can do these steps automatically?

Thank you

解决方案

You would have a callout at FWPM<_LAYER_INBOUND_TRANSPORT and in a sublayer weighted lower than IPsec's sublayer  (< 0x7FFF).  You then would need to clone the original NBL, remove the IPsec information from the IPHeader (IPsec leaves the AH and ESP information in), modify the IP Header with the new destination address, modify the Transport Header with the new port, recalculate the Transport checksum, recalculate the IP checksum, drop / Absorb the original and inject the clone.

Hope his helps,

这篇关于使用WFP进行IPsec数据包转发的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！