{
    my $ipsec_status = $ipsec{status} || 'disabled';
    my $target = ($ipsec_status eq 'enabled') ? "ACCEPT" : "denylog";

    $OUT = 
    "    /sbin/iptables --replace esp-in 1 -d \\! \$OUTERNET -j denylog\n" .
    "    /sbin/iptables --replace esp-in 2 -j $target";
}
