IPsec packet forwarding using WFP RRS feed

  • Question

  • Hello,

    I am using the function FwpmIPsecTunnelAdd0() to establish an IPsec Tunnel.

    When an IPsec packet is received and decrypted, how can I use WFP API to forward the decrypted packet to a different port and IP address? Do I have to read the decrypted packet, re-assemble the original packet into a new packet that includes the forwarding port and IP address, and then send the new packet? Is there a setting that can do these steps automatically?

    Thank you

    Wednesday, March 26, 2014 10:26 PM

All replies

  • You would have a callout at FWPM<_LAYER_INBOUND_TRANSPORT and in a sublayer weighted lower than IPsec's sublayer  (< 0x7FFF).  You then would need to clone the original NBL, remove the IPsec information from the IPHeader (IPsec leaves the AH and ESP information in), modify the IP Header with the new destination address, modify the Transport Header with the new port, recalculate the Transport checksum, recalculate the IP checksum, drop / Absorb the original and inject the clone.

    Hope his helps,

    Dusty Harper [MSFT]
    Microsoft Corporation
    This posting is provided "AS IS", with NO warranties and confers NO rights

    Thursday, March 27, 2014 8:05 PM
  • Thank you for your prompt response! I will try these steps.
    Friday, March 28, 2014 12:57 PM