Securing IPsec with keynote(5) and pf(4) We can use pf(4) to filter packets using pf tags new feature in OpenBSD 4.1 /etc/ipsec.conf: ike passive esp from 10.0.0.0/8 to any srcid gwA.openbsd.org tag ipsec-$id /etc/pf.conf: set skip on enc0 block in log all pass out log on em0 proto tcp from any to 10.0.1.10 port = ssh \ tagged ipsec-fqdn/msf@openbsd.org