Filtering IPSec traffic ?
Travis H.
solinym at gmail.com
Tue Oct 25 04:16:23 PDT 2005
I think you have to set up filtering on the external interface for UDP
port 500 (for the ISAKMP) and IP protocols 50 and 51 (proto esp and
proto ah, in pf.conf syntax).
Then, the decrypted version appears on enc0, so you can match the
decapsulated stuff.
As I understand it.
--
http://www.lightconsulting.com/~travis/ -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B
More information about the freebsd-pf
mailing list