Eduardo Spremolla wrote:
I use a trick stste on ipsec-tools howto: iptables -t mangle -A PREROUTING -i eth0 -p esp -j MARK --set-mark 1 then to catch the uncapsulated packet: iptables -A INPUT -m mark --mark 1 -j ACCEPT
Yes. There are many way to filter ipsec packets. However I think that the proper way to filter ipsec packets is the policy match with recent kernel (2.6.16) and iptables (1.3.5). Ciao
