[Openswan Users] Transport mode on a home LAN
Paul Wouters
paul at xelerance.com
Sat Nov 27 19:28:55 EST 2010
On Sat, 27 Nov 2010, Jack Byer wrote:
> The next step I'd like to do is to set up some iptables rules that
> will DROP all non-encrypted packets both incoming and outgoing but I'm
> not sure how IPsec and iptables interact. If I set the default policy
> on all three chains in the filter table to DROP and then just accept
> AH and ESP packets will this do the right thing, or do I need to add
> the rules somewhere else?
You don't need AH really. But you should add UDP 500 for IKE (and if
NAT is involved you might also need UDP 4500 <-> highports
Paul
More information about the Users
mailing list