2
Sob:
If no policy exists, it's true for all packets
none doesn't match ipsec-policies even if they are defined
2
pe1chl:
I checked your example. It works the same with no
ipsec-policy=in,none in the second rule:
add action=accept chain=input-inet comment=L2TP/IPsec dst-port=1701 \
ipsec-policy=in,ipsec protocol=udp
add action=reject chain=input-inet comment="L2TP no IPsec" dst-port=1701 \
log=yes log-prefix=l2tp protocol=udp reject-with=\
icmp-port-unreachable
But in other order of rules - it is required, with no
ipsec-policy=in,none in the fist rule, the example doesn't work as expected.
add action=reject chain=input-inet comment="L2TP no IPsec" dst-port=1701 \
ipsec-policy=in,none log=yes log-prefix=l2tp protocol=udp reject-with=\
icmp-port-unreachable
add action=accept chain=input-inet comment=L2TP/IPsec dst-port=1701 \
ipsec-policy=in,ipsec protocol=udp
Hm... MRZ confirmed in this thread:
ipsec-policy=in,none - incoming packets matched by any policy before decryption
ipsec-policy=in,ipsec- incoming packets matched by any policy after decryption
ipsec-policy=out,none - outgoing packets matched by any policy after encryption
ipsec-policy=out,ipsec- outgoing packets matched by any policy before encryption
is it incorrect? Must it be:
ipsec-policy=in,none - any incoming packets exclude decrypted IPsec
ipsec-policy=in,ipsec- incoming packets matched by any policy after decryption
ipsec-policy=out,none - any outgoing packets exclude decrypted IPsec
ipsec-policy=out,ipsec- outgoing packets matched by any policy before encryption