On 1/8/06, Wilfred E. Savery <wilfred dot savery at innovadotnet dot com> wrote:
> But by default the rule say allow any from any, so I guess this Rule is
> already taken in account.
> Default LAN -> any
> Proto | Source | Port | Destination | Port |
> * LAN net * * *
No...That's the LAN rule.
By default ALL traffic is blocked inbound from the WAN, unless the
traffic "originated" from the LAN first. Since IPSEC is from WAN
interface to WAN interface, the router doesn't have a chance to see if
the request came from the LAN (in simple terms)
By specifically allowing ESP * * * *, you are effectively saying
you will allow ESP from anyone, but, since you setup your IPSEC rules
to/from specific IP's, realistically only that traffic is accepted.
I guess also by saying ESP to ANY from ANY, you are also allowing a
LAN workstation to setup an IPSEC connection originating from the LAN.