summaryrefslogtreecommitdiff
path: root/docs/_static/css
diff options
context:
space:
mode:
authorzdc <zdc@users.noreply.github.com>2026-07-10 18:33:10 +0300
committerMergify <37929162+mergify[bot]@users.noreply.github.com>2026-07-10 15:35:14 +0000
commit95369571744d0166141d3cd5586d73c9fff6cfd3 (patch)
treebeca8051dfcfeb6d25eaf465e604456a9dfbc891 /docs/_static/css
parentf443773a818dc726fe281e62cfcde9bfbef50049 (diff)
downloadvyos-documentation-mergify/bp/circinus/pr-2136.tar.gz
vyos-documentation-mergify/bp/circinus/pr-2136.zip
docs(DMVPN): T4667: Add firewall rule to prevent unencrypted GRE leaks (#2136)mergify/bp/circinus/pr-2136
* docs(DMVPN): T4667: Add firewall rule to prevent unencrypted GRE leaks In DMVPN the mGRE tunnel and the IPSec protecting it are handled independently, so GRE can be forwarded while no IPSec SA is active for a peer (e.g. while an SA is still being negotiated or after one expires), allowing unencrypted GRE to leave the router. This is inherent to combining GRE with IPSec and is common to DMVPN implementations in general. Add a "Protecting against unencrypted traffic leaks" section to the DMVPN reference page explaining the behaviour and recommending an output filter rule that drops GRE not matched by an outbound IPSec policy (ipsec match-none-out). Note that this disables unencrypted GRE on the node entirely, so coexisting plain GRE tunnels would stop working. Apply the same rule in the Dual HUB Dual Cloud example on the VyOS nodes. Co-authored-by: Daniil Baturin <daniil@baturin.org> * docs(DMVPN): reflow DMVPN documentation for line length compliance Reformat the DMVPN guide and dual-hub dual-cloud example to wrap long lines and improve readability without changing the documented behavior or configuration guidance. --------- Co-authored-by: Daniil Baturin <daniil@baturin.org> (cherry picked from commit 50acf8f188475b0554b99a739cb8ada12d51e77b)
Diffstat (limited to 'docs/_static/css')
0 files changed, 0 insertions, 0 deletions