On Fri, 18 Apr 2003 itojun@iijlab.net wrote:

> >> >If I have two IPSec links, one to network A/24 and one to network B/24,
> >> >I need to block all source=A/24 packets that come in via the tunnel from
> >> >B, and all source=B/24 packets that come in via the tunnel from A, because
> >> >those packets are forged.
> >> 	why not filter at the other end of the tunnel (tunnel egress point)?
>
> 	s/egress/ingress/

You mean at the interface on my router where the packets enter? Because
at that point all I see are encrypted packets from the other end of the
tunnel. I have no idea what inner packets are going to be extracted from
the encapsulating packets and injected into my system.

cjs
-- 
Curt Sampson  <cjs@cynic.net>   +81 90 7737 2974   http://www.netbsd.org
    Don't you know, in this new Dark Age, we're all light.  --XTC