See forum post.
When DMVPN is configured with IPSec using the DMVPN docs, cleartext GRE packets are allowed over the internet before the IPSec tunnel comes back up after a network interruption.
After fixing the template file, one cleartext GRE packet leaks when I ping a spoke from the hub and reboot the target spoke (simulating a network failure or reboot with traffic to the spoke, as one would see in the real world). No GRE packets are leaked when pinging the hub from a spoke and rebooting the hub. The GRE cleartext packet always contains an NHRP Registration Request
Adding
start_action=trap
in the dmvpn block of /usr/share/vyos/templates/ipsec/swanctl/profile.j2 seems to help this problem by drastically cutting back the number of GRE packets that make it through in the clear text. There are, however, still one or two packets that make it through encapsulated, but unencrypted. To ensure user data is not susceptible to interception:
- The aforementioned template file must be updated to set the DMVPN profile start_action parameter to trap.
- A command must be added to allow a user to block outbound unencrypted GRE traffic to ensure no unencrypted traffic is allowed out to the internet.