Subject: fwd: Order of SPD evaluation in ipsec
To: None <>
From: Christoph Kaegi <>
List: tech-crypto
Date: 05/09/2001 16:07:08
> >I am setting up two NetBSD 1.5 boxes wich tunnel and 
> >(ESP) encrypt traffic like follows:
> (snip)
> >If have successfully set up the systems, traffic gets
> >encrypted between the boxes.
> >But how can I drop all Packets on the Boxes, which
> >aren't from or to Net[1234] ?
> >I tried with additional SPD entries like:
> >   # disallow everything else
> >   spdadd Net1 any -P out discard ;
> >   spdadd Net1 any -P in discard;
> >... at the *end* of my /etc/ipsec.conf.
> >This doesn't work. (No connection at all anymore)
>         SPD entry works like packet filters - first one that matches will
>         decide the behavior.
> itojun

Thank you for the fast answer.

I was able to make it work as I want now.
(I had to specify some more 'allow' rules before denying
 everything else.)


Christoph Kaegi