Hey ya'll, I figured I'd chime in, since I've recently figured out using Netfilter and IPSec together. For the FreeS/WAN implementation of IPSec, you'll need to open up the following in your iptables policy (I'm not sure about other IPSec implemenations):
Accept protocol 50 and 51 (ESP and AH) and UDP port 500 (isakmp) to and from your VPN endpoint. This is for a Host-to-Net VPN. You'll need to set up the proper NAT rules for Net-to-Net VPNs. Example rules (assuming the ipsec interface is bound to eth0, VPN endpoint @ a.b.c.d): iptables -A INPUT -i eth0 -p 50 -s a.b.c.d -j ACCEPT iptables -A INPUT -i eth0 -p 51 -s a.b.c.d -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 500 -s a.b.c.d -j ACCEPT iptables -A OUTPUT -o eth0 -p 50 -d a.b.c.d -j ACCEPT iptables -A OUTPUT -o eth0 -p 51 -d a.b.c.d -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --dport 500 -d a.b.c.d -j ACCEPT Cheers, Ben
