Filtering IPSec traffic ?

VANHULLEBUS Yvan vanhu_bsd at
Tue Oct 25 05:05:57 PDT 2005

On Tue, Oct 25, 2005 at 06:16:22AM -0500, Travis H. wrote:
> I think you have to set up filtering on the external interface for UDP
> port 500 (for the ISAKMP) and IP protocols 50 and 51 (proto esp and
> proto ah, in pf.conf syntax).

Yes, thanks, I know that :-)

And, to be axact, I'll have to allow UDP 500/4500, as I'm using NAT-T
(subliminal message: kernel patch still not included in FreeBSD...).

> Then, the decrypted version appears on enc0, so you can match the
> decapsulated stuff.

That's the problem: enc0 doesn't seems to exists, at least on my
FreeBSD6 gate (perhaps I missed something in the configuration, or
perhaps this is not a "real" interface ?) !!!

Such an interface would be very useful, for filtering IPSec traffic,
and also to be able to dump traffic from/to IPSec peers, and would be,
imho, the best solution (and would not be pf specific), but at least
"some option" in the pf syntax would be interesting to be able to
match traffic which come from an IPSec tunnel...


More information about the freebsd-pf mailing list