Securing IPsec with keynote(5) and pf(4) We can use isakmpd.policy(5) to limit what SAs a user can negotiate. Keynote-Version: 2 Authorizer: "POLICY" Licensees: "DN:/C=CA/ST=AB/L=Calgary/O=OpenBSD/CN=Example CA" Conditions: app_domain == "IPsec policy" && esp_present == "yes" && esp_enc_alg != "null" && ( ( remote_id_type == "UFQDN" && remote_id == "msf@openbsd.org" ) && ( local_filter == "010.000.001.000-010.000.001.255" || local_filter == "010.000.002.000-010.000.002.255" ) ) -> "true";