From owner-freebsd-pf@FreeBSD.ORG  Tue Oct 25 11:16:23 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id B8C3D16A41F
	for <freebsd-pf@freebsd.org>; Tue, 25 Oct 2005 11:16:23 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.196])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 576EF43D53
	for <freebsd-pf@freebsd.org>; Tue, 25 Oct 2005 11:16:23 +0000 (GMT)
	(envelope-from solinym@gmail.com)
Received: by wproxy.gmail.com with SMTP id i5so44780wra
	for <freebsd-pf@freebsd.org>; Tue, 25 Oct 2005 04:16:22 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com;
	h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
	b=EJykA8Za8fI7Yqt7P4c4M7p2lzfvlpPRhMZCLZc/CT81aR46a4MmFBhKvrnk9WdTN5vF3Y6acmjCgChd+rSQihrNdqazfEQ1lqgQHcuIiRkgekCv1qlv7VN3xoo+INn5ftCf49r9kfpNDXYvlebtfDCdxXKKkPCvvd5QVMepefM=
Received: by 10.54.146.19 with SMTP id t19mr143329wrd;
	Tue, 25 Oct 2005 04:16:22 -0700 (PDT)
Received: by 10.54.81.7 with HTTP; Tue, 25 Oct 2005 04:16:22 -0700 (PDT)
Message-ID: <d4f1333a0510250416m545761e2m5db8ffca126a39d6@mail.gmail.com>
Date: Tue, 25 Oct 2005 06:16:22 -0500
From: "Travis H." <solinym@gmail.com>
To: VANHULLEBUS Yvan <vanhu_bsd@zeninc.net>
In-Reply-To: <20051025095745.GA2581@zeninc.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: <20051025095745.GA2581@zeninc.net>
Cc: freebsd-pf@freebsd.org
Subject: Re: Filtering IPSec traffic ?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Oct 2005 11:16:23 -0000

I think you have to set up filtering on the external interface for UDP
port 500 (for the ISAKMP) and IP protocols 50 and 51 (proto esp and
proto ah, in pf.conf syntax).

Then, the decrypted version appears on enc0, so you can match the
decapsulated stuff.

As I understand it.
--
http://www.lightconsulting.com/~travis/  -><-
"We already have enough fast, insecure systems." -- Schneier & Ferguson
GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B