[strongSwan] enforce encryption and authentication

[ujoimro]

Dear All, 

I have the following problem, and I did not find any suggestions on the 
internet about the issue. 

I want to secure the connection between two computers Alice and Sun. Alice 
sees Sun and has no problem connecting to Sun without ipsec. Sun has a very 
important and sensitive service (like an nfs or vnc) and can only discriminate 
it's clients by their ip address. Sun does not trust the gateway, the router 
or the dhcp server!

How can I make sure, that a package can ONLY arrive to sun through ESP. If I 
insert a rule into Sun's firewall

iptables -I INPUT -s ${ALICE's IP} -p tcp -j drop

then ALL the packets get filtered, BOTH ESP and TCP. 

I can use the updown script to lift the restriction once the ipsec connection 
is ready, but it's both error prone and I am not sure what happens, if Alice 
gets pulled from the network without proper down, and someone else gets her 
address. 

Can You help me, 

Cordially, 

Laszlo