Project

General

Profile

Actions

Todo #12289

closed

Update "IPsec Filter Mode" option values and help text to reflect that VTI mode also helps transport mode (e.g. GRE)

Added by Jim Pingle 3 months ago. Updated about 1 month ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
IPsec
Target version:
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.01
Release Notes:
Default

Description

Turns out that the IPsec Filter Mode option on VPN > IPsec, Advanced Settings tab also works to allow two-way filtering of TCP and other traffic on Transport mode GRE tunnels, and presumably other similar transport mode scenarios. By default, this does not work ( See #4479 ).

No technical changes are needed, only the option text and help text need updated to note the additional scenarios covered by the existing option.

Some other notes, not all are for the GUI, but may be useful in later documentation:

  • As with VTI, enabling this mode blocks all tunnel mode traffic so it's all or nothing -- either the user can filter on VTI and transport+GRE or they can filter on tunnel mode, but not both.
  • No way to see/capture the actual GRE traffic -- traffic captured on WAN is only IPsec IKE/ESP and such.
  • Rules to pass traffic between transport peers goes on the WAN interface directly (e.g. to pass outer GRE traffic), but there isn't a way to conditionally filter the traffic based on whether or not IPsec is up yet
  • Rules to pass tunneled GRE traffic go on assigned GRE interfaces as expected.
  • States for transport connections show on WAN, states for GRE show up on GRE -- both are logical but some people may expect to see states on the IPsec/enc interface which won't happen in this mode

Related issues

Related to Bug #4479: Firewall rules won't match GRE interface after applying IPSEC transport encryption on GRE tunnelNewLuiz Souza02/27/2015

Actions
Actions

Also available in: Atom PDF