Date: Tue, 25 Oct 2005 06:16:22 -0500 From: "Travis H." <solinym@gmail.com> To: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net> Cc: freebsd-pf@freebsd.org Subject: Re: Filtering IPSec traffic ? Message-ID: <d4f1333a0510250416m545761e2m5db8ffca126a39d6@mail.gmail.com> In-Reply-To: <20051025095745.GA2581@zeninc.net> References: <20051025095745.GA2581@zeninc.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I think you have to set up filtering on the external interface for UDP port 500 (for the ISAKMP) and IP protocols 50 and 51 (proto esp and proto ah, in pf.conf syntax). Then, the decrypted version appears on enc0, so you can match the decapsulated stuff. As I understand it. -- http://www.lightconsulting.com/~travis/ -><- "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d4f1333a0510250416m545761e2m5db8ffca126a39d6>