Joined: 09 Oct 2002
Location: Lausanne, Switzerland
|Posted: Tue Jan 14, 03 11:33 Post subject: Can I use filtering with IPSec?
|Yes, be sure however that you do not block input or output of
- ESP encryption and/ or authentication,
- AH protocols (if you are using it for packet-level authentication)
- UDP port 500 data which is used during IKE negotiations
...depending on how you build the encrypted connection.
In relation to tunneling IPSec connections between subnets or from a single remote user to a subnet, the Filtering rules will take place after IPSec has unencrypted the packets and after Interface NAT input (for the arriving interface of the packet) and MISC>NAT have made their translations. Packets that make it through for release to the internal subnet.
Recommended Filtering rules....
Reject IP packets that are not from known IP Gateways (can be configured in MISC>NAT)