Subject: Re: Non-IPSec Processing Point for ipf
To: None <>
From: Curt Sampson <>
List: tech-net
Date: 04/18/2003 18:14:49
On Fri, 18 Apr 2003 wrote:
> >> >If I have two IPSec links, one to network A/24 and one to network B/24,
> >> >I need to block all source=A/24 packets that come in via the tunnel from
> >> >B, and all source=B/24 packets that come in via the tunnel from A, because
> >> >those packets are forged.
> >> why not filter at the other end of the tunnel (tunnel egress point)?
> s/egress/ingress/
You mean at the interface on my router where the packets enter? Because
at that point all I see are encrypted packets from the other end of the
tunnel. I have no idea what inner packets are going to be extracted from
the encapsulating packets and injected into my system.
Curt Sampson <> +81 90 7737 2974
Don't you know, in this new Dark Age, we're all light. --XTC