Hi Graham, > So, it appears that the UDP packets come through the tunnel, are decrypted > and then looped-back through the firewall ?
That is correct. > I'm not too keen on opening the firewall to all UDP packets using that UDP > port number. Is there a more elegant method ? Yes, you could use the policy match of iptables. E.g. "-m policy --pol ipsec" matches only pakets coming in decrypted or going out encrypted. If you have several different ipsec connections needing different treatment in your firewall, you have to differentiate with the ips as the policy match doesn't know about the strongswan connection names. Kind regards, Gerd _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users
