Page MenuHomeVyOS Platform
Create Task
Maniphest T4694

Allow VyOS Firewall to Match Outbound IPSec Traffic
In progress, NormalPublicFEATURE REQUEST
Actions

Description

See https://forum.vyos.io/t/dmvpn-gre-routed-clear-text-when-ipsec-down/9190/24

Specifically, from here down

I would like to be able to block outbound unencrypted GRE and allow it through IPSec as shown in the linked comment.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Feature (new functionality)
Forum thread
https://forum.vyos.io/t/outbound-ipsec-filtering-by-firewall-would-like-some-dev-opinions/14710

Related Objects

Event Timeline

jmarmorato created this task.Sep 14 2022, 1:40 PM
n.fort subscribed.Sep 14 2022, 2:22 PM

Do you have a proposed cli format?

Viacheslav subscribed.EditedSep 14 2022, 6:04 PM

There is PR https://github.com/vyos/vyos-1x/pull/1516 for T4667 but it brakes all GRE traffic

n.fort added a comment.Sep 14 2022, 6:18 PM

Interesting article on how and when to match ipsec options: https://thermalcircle.de/doku.php?id=blog:linux:nftables_demystifying_ipsec_expressions

pasik subscribed.Sep 14 2022, 7:02 PM
jmarmorato added a comment.Sep 18 2022, 10:06 PM

@n.fort Maybe set firewall name <name> rule <rule> ipsec match-gre? This feels a bit hacky though... Almost like match should be its own block and contain ipsec, none, or gre

dmbaturin triaged this task as Normal priority.Jan 10 2024, 10:47 PM
dmbaturin added a project: VyOS 1.5 Circinus.
syncer edited projects, added VyOS 1.4 Sagitta (1.4.0-GA); removed VyOS 1.4 Sagitta.May 7 2024, 8:03 AM
talmakion subscribed.Jun 9 2024, 9:39 AM

It looks like outbound encap can be matched via routing expressions:

$ sudo nft list table ip vyos_filter
table ip vyos_filter {
[...]
        chain VYOS_OUTPUT_filter {
                type filter hook output priority filter; policy accept;
                meta l4proto gre ip daddr 100.123.124.124 log prefix "[ipv4-OUT-filter-100-A]" counter packets 242 bytes 27374 accept comment "ipv4-OUT-filter-100"
                counter packets 705 bytes 187256 accept comment "OUT-filter default-action accept"
        }
}
$ sudo nft insert rule ip vyos_filter VYOS_OUTPUT_filter meta l4proto gre ip daddr 100.123.124.124 rt ipsec exists log prefix '"[ENCRYPTED]"' accept

Then we break the SA so traffic escapes IPsec and travels in the clear:

[  315.819291] [ENCRYPTED]IN= OUT=eth0.900 SRC=100.123.123.123 DST=100.123.124.124 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=13495 DF PROTO=47 
[  316.505888] [ENCRYPTED]IN= OUT=eth0.900 SRC=100.123.123.123 DST=100.123.124.124 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=13773 DF PROTO=47 
[  316.820681] [ENCRYPTED]IN= OUT=eth0.900 SRC=100.123.123.123 DST=100.123.124.124 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=14079 DF PROTO=47 
[  317.821953] [ipv4-OUT-filter-100-A]IN= OUT=eth0.900 SRC=100.123.123.123 DST=100.123.124.124 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=14916 DF PROTO=47 
[  318.841505] [ipv4-OUT-filter-100-A]IN= OUT=eth0.900 SRC=100.123.123.123 DST=100.123.124.124 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=15064 DF PROTO=47 
[...]
[  363.897509] [ipv4-OUT-filter-100-A]IN= OUT=eth0.900 SRC=100.123.123.123 DST=100.123.124.124 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=35778 DF PROTO=47 
[  364.921551] [ipv4-OUT-filter-100-A]IN= OUT=eth0.900 SRC=100.123.123.123 DST=100.123.124.124 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=36305 DF PROTO=47 
[  365.172589] [ENCRYPTED]IN= OUT=eth0.900 SRC=100.123.123.123 DST=100.123.124.124 LEN=154 TOS=0x00 PREC=0x00 TTL=64 ID=36537 DF PROTO=47 
[  365.173506] [ENCRYPTED]IN= OUT=eth0.900 SRC=100.123.123.123 DST=100.123.124.124 LEN=114 TOS=0x00 PREC=0x00 TTL=64 ID=36538 DF PROTO=47 
[  365.479231] [ENCRYPTED]IN= OUT=eth0.900 SRC=100.123.123.123 DST=100.123.124.124 LEN=112 TOS=0x00 PREC=0x00 TTL=64 ID=36548 DF PROTO=47

Timings match up with tcpdump output.

I'll see if I can whip up a couple of things off this:

  • A GRE header matcher, so firewall rules can match the option bits and fields in GRE (most interested in the tunnel key or lack thereof)
  • An outbound ipsec match-none/match-ipsec using route expressions
  • I'll need to double check some other scenarios, thus far I've only labbed DMVPN+GRE in transport mode on output. It's conceivable a separate outbound match is needed in forward as well, for raw IPsec tunnels, etc.

For DMVPN, being able to configure the firewall to match specific GRE tunnels and pick out whether they're headed into the maw of IPsec gives us enough functionality to fix this, manually.

It should be possible to do this automatically, maybe with an extra trap-unencrypted option attached to the profile->tunnel binding that will *only* block that specific tunnel def from exchanging unencrypted packets.

talmakion mentioned this in T4667: DMVPN IPSec allows cleartext GRE over the internet when reconnecting.Jun 9 2024, 9:49 AM
talmakion added a comment.Jun 11 2024, 11:32 AM

I have https://github.com/vyos/vyos-1x/pull/3616 and https://github.com/vyos/vyos-1x/pull/3637 as works in progress.

syncer changed the task status from Open to In progress.Jun 16 2024, 2:48 PM
syncer assigned this task to talmakion.
syncer set Forum thread to https://forum.vyos.io/t/outbound-ipsec-filtering-by-firewall-would-like-some-dev-opinions/14710.