[Openswan Users] L2TP packets being dropped at server

Paul Wouters paul at xelerance.com
Sat Feb 27 00:11:30 EST 2010

On Fri, 26 Feb 2010, Will Roberts wrote:

> On Fri, Feb 26, 2010 at 3:11 PM, Paul Wouters <paul at xelerance.com> wrote:
>       On Fri, 26 Feb 2010, Will Roberts wrote:
>             iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
>             iptables -A ironwall -i eth0 -p udp --dport 1701 -j DROP
>       that's wrong.
> I've never used netfliter's IPsec policy matching before, but from what I read on the man page that rule should match all incoming packets that were
> decrypted by IPsec.

That's not how I read it:

   --pol {none|ipsec}
               Matches if the packet is subject to IPsec processing.

However, after decrypting such a matched packet, the decrypted packet is put bak into the
table and processing happens against from the start. On that run, --pol ipsec will not
match. And your DROP rule will match.

> Those rules do seem to work as they are; have I misunderstood what that rule is actually matching?

Maybe there is another reason it is ACCEPT'ed?


More information about the Users mailing list