> > The in-kernel ipsec does not have an ipsec0 virtual interface, that is > > where the problem come from - I don't see a way yet to destinguish > > decapsulated ipsec traffic from eth0 to eth1 from raw traffic > between the > > two interfaces. > > Ah. I have yet to play with the features of 2.6 kernels, > therefore I didn't > realise that this version of IPsec has such a drawback compared > to FreeS/WAN. > I solved this using firewall marks. Essentially, packets that come in via IPSEC and then get untunelled retain the fwmark, so you can do something like: iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1 iptables -A INPUT -m mark --mark 1 -j ACCEPT (Obviously repeat for forward if required and do further firewalling for anything you don't trust from your VPN). There is also a way of matching particular SPIs inside AH/ESP packets (where you can do the same thing and set a mark). This is even better because specific connections can then be tracked, untested but should be something like: iptables -t mangle -A PREROUTING -m esp --espspi num:num -j MARK --set-mark 1 You would more than likely want to insert these into the firewall ruleset dynamically with the help of your keying daemon (freeswan, isakmpd, ...). Mark
