Page MenuHomeVyOS Platform

DMVPN IPSec allows cleartext GRE over the internet when reconnecting
In progress, HighPublicBUG


See forum post.

When DMVPN is configured with IPSec using the DMVPN docs, cleartext GRE packets are allowed over the internet before the IPSec tunnel comes back up after a network interruption.

After fixing the template file, one cleartext GRE packet leaks when I ping a spoke from the hub and reboot the target spoke (simulating a network failure or reboot with traffic to the spoke, as one would see in the real world). No GRE packets are leaked when pinging the hub from a spoke and rebooting the hub. The GRE cleartext packet always contains an NHRP Registration Request



in the dmvpn block of /usr/share/vyos/templates/ipsec/swanctl/profile.j2 seems to help this problem by drastically cutting back the number of GRE packets that make it through in the clear text. There are, however, still one or two packets that make it through encapsulated, but unencrypted. To ensure user data is not susceptible to interception:

  1. The aforementioned template file must be updated to set the DMVPN profile start_action parameter to trap.
  2. A command must be added to allow a user to block outbound unencrypted GRE traffic to ensure no unencrypted traffic is allowed out to the internet.


Difficulty level
Normal (likely a few hours)
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Behavior change
Issue type
Security vulnerability
Forum thread