On Wed, Jul 23, 2003 at 04:23:55PM -0500, Rick Kennell wrote: > > Once the IPsec traffic has been terminated (decapsulated) you can > > filter it based on the services (tcp or udp ports) prior to that > > you only can filter based on the outer IP header... > > OK. Is there a way to decapsulate an ESP packet in iptables? No, if the IPsec tunnel terminates on your firewall then you'll see the decapsulated packet while it's being forwarded to its internal destination. If it does not terminate on your firewall then you're out of luck and must only rely on the outer IP header to filter... Ramin
