My previous post promised some information about how firewall rules interact with IPsec under Linux 2.6, well here it is.
The Shoreline Firewall has full support for declaratively defining IPsec tunnels and hosts under the new IPsec support. To do this however, you will need the policy match netfilter extension from the Patch-o-Matic NG and also 4 other patches:
To apply the patches, simply run
patch -p1 < ipsec-* from the top of our kernel source tree. Also copy the policy match extension’s files from the POM-NG directory into your kernel tree and insert the contents of the two
.ladd files into the relevant
Kconfig file. Then reconfigure, enabling the policy match, and rebuild. Then follow the documentation.
If I have time, I’ll try and add some more information here.