IPFW Limit connections to specific ports only for IPSec VPN connected clie

[ssh2]

I have this: IPSec (IPSec-tools) with xcerts auth on FreeBSD 9-Stable. Ipfw with kernel nat.

I can't find ipfw rules for such problem: I need limit connection for specific port (service that listen on it) for connection going only via VPN.
In this kind of VPN no gre virtual interface created.

VPN connections seen on this port as original IP on clients side.
For example: Client from 1.2.3.4 connect to my server 11.22.33.44 via IPSec take VPN IP 10.0.0.1 but connection on needed port seen as connection from 1.2.3.4 but not from 10.0.0.1 or from 11.22.33.44 (exit from NAT).

ipfw add 100 allow all from any to me 1234 ipsec
ipfw add 100 deny all from any to me 1234

don't work

Can anyone point me to right way on this problem?

 

[throAU]

Not exactly sure what you mean with regards to your setup, but if NAT is involved (i.e., either end is behind a NAT), you'll need to enable IPSEC NAT traversal to work, which means opening up port 4500 UDP amongst other things.

 

[ssh2]

NAT, NAT-t e.t.c. already work as expected.
Clients can easily connect to VPN.

I just need limit access to PsyBNC, as example, for clients connections going only trough VPN.
But because this IPSEC setup not create any additional interfaces or IP aliases. I don't know how block any non VPN connection to this service.