diff --git a/root/etc/config/firewall b/root/etc/config/firewall
index 48b2440..61607fa 100644
--- a/root/etc/config/firewall
+++ b/root/etc/config/firewall
@@ -113,20 +113,31 @@ config rule
 	option target		ACCEPT
 
 config rule
-	option name		Allow-IPSec-ESP
+	option name		Allow-IPv6-IPSec-ESP
 	option src		wan
 	option dest		lan
 	option proto		esp
+	option family		ipv6
 	option target		ACCEPT
 
 config rule
-	option name		Allow-ISAKMP
+	option name		Allow-IPv6-IKE
 	option src		wan
 	option dest		lan
+	option src_port		500
 	option dest_port	500
 	option proto		udp
+	option family		ipv6
 	option target		ACCEPT
 
+config rule
+	option name		Drop-IPv6-IKE-Unsolicited
+	option src		wan
+	option dest		lan
+	option dest_port	500
+	option proto		udp
+	option family		ipv6
+	option target		DROP
 
 ### EXAMPLE CONFIG SECTIONS
 # do not allow a specific ip to access wan