See https://forum.vyos.io/t/dmvpn-gre-routed-clear-text-when-ipsec-down/9190/24
Specifically, from here down
I would like to be able to block outbound unencrypted GRE and allow it through IPSec as shown in the linked comment.
See https://forum.vyos.io/t/dmvpn-gre-routed-clear-text-when-ipsec-down/9190/24
Specifically, from here down
I would like to be able to block outbound unencrypted GRE and allow it through IPSec as shown in the linked comment.
There is PR https://github.com/vyos/vyos-1x/pull/1516 for T4667 but it brakes all GRE traffic
Interesting article on how and when to match ipsec options: https://thermalcircle.de/doku.php?id=blog:linux:nftables_demystifying_ipsec_expressions
@n.fort Maybe set firewall name <name> rule <rule> ipsec match-gre? This feels a bit hacky though... Almost like match should be its own block and contain ipsec, none, or gre