[Openswan Users] Transport mode on a home LAN
Paul Wouters
paul at xelerance.com
Sat Nov 27 19:48:00 EST 2010
On Sat, 27 Nov 2010, Jack Byer wrote:
>> You don't need AH really. But you should add UDP 500 for IKE (and if
>> NAT is involved you might also need UDP 4500 <-> highports
>>
>> Paul
>
> That part that is confusing me is that when I use tcpdump to watch the
> traffic on the ethernet interface I see both the encrypted and
> non-encrypted packets. How does iptables differentiate between the
> packets on the wire and the packets inside the tunnel?
iptables -A INPUT -m policy --dir in --pol ipsec -j ACCEPT
the kernel them does its magic stuff to compare. I am not sure what
checks this enables (eg valid SAIDs?) but it should pass your traffic.
Paul
More information about the Users
mailing list