>> >> >If I have two IPSec links, one to network A/24 and one to network B/24,
>> >> >I need to block all source=A/24 packets that come in via the tunnel from
>> >> >B, and all source=B/24 packets that come in via the tunnel from A, because
>> >> >those packets are forged.
>> >> 	why not filter at the other end of the tunnel (tunnel egress point)?
>>
>> 	s/egress/ingress/
>
>You mean at the interface on my router where the packets enter? Because
>at that point all I see are encrypted packets from the other end of the
>tunnel. I have no idea what inner packets are going to be extracted from
>the encapsulating packets and injected into my system.

interesting.  you are actually in a situation where you are using
ipsec to obscure yet do not trust the other party?  why waste time on
ipsec?  i assume from this, that ah would not help at all.

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
werdna@squooshy.com       * "information is power -- share the wealth."