[Openswan Users]

Andy Gay andy at andynet.net
Sun Jul 23 12:41:06 CEST 2006

On Sun, 2006-07-23 at 08:43 -0500, Greg Scott wrote: 
> I
> think the netfilter guys had a way to mark incoming esp packets so they
> could be tested later on afer reinjection.

Mark incoming ESP packets:

  iptables -t mangle -A INPUT -i <interface> -p 50 -j MARK --set-mark 0x50

If the packet survives IPsec policy checks, it'll show up later with the
mark still intact. So you can use it for example to bypass INPUT rules:

  iptables -A INPUT -i <interface> -m mark --mark 0x50 -j ACCEPT

For anyone who knows the Cisco PIX, this is similar to setting 'sysopt
connection permit-ipsec'.

More information about the Users mailing list