The policy is setup (openswan configures it) # ip xfrm poli src 111.222.333.444/32 dst 444.333.222.111/32 proto gre dir out priority 2080 tmpl src 111.222.333.444 dst 444.333.222.111 proto esp reqid 16385 mode tunnel src 444.333.222.111/32 dst 111.222.333.444/32 proto gre dir fwd priority 2080 tmpl src 444.333.222.111 dst 111.222.333.444 proto esp reqid 16385 mode tunnel The issue is that IPSec is protecting a GRE tunnel and if IPSec fails for some reason, GRE will be happy to work without it; tunnelling everything in the clear. I was just hoping to put some kind of fail safe in place so if IPSec stopped working or failed to start, unencrypted traffic wouldn't be transmitted. I will try putting a filter on the ingress side to reject all GRE traffic so if it not tunneled in IPSec, it will get dropped. At least that way, tunnelled TCP sessions can't get setup. On Thu, Jul 21, 2011 at 12:55 PM, Petr Pisar <petr.pisar@xxxxxxxx> wrote: > On 2011-07-21, Ryan Whelan <rcwhelan@xxxxxxxxx> wrote: >> >> Is there a way to accomplish this? Maybe a way to only accept a >> non-esp packets if it destined for the ipsec stack; is that possible? > > I know you ask about netfilter, but consider IPsec security policies > (defined by setkey tool) can be used to force xfrm based on network or > transport source or destinatino addresses. > > -- Petr > > -- > To unsubscribe from this list: send the line "unsubscribe netfilter" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html > -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
