On Fri, Jun 1, 2018 at 11:51 AM Noel Kuntze <[email protected]> wrote:
> > > > I'd also check that under no circumstances can the hosts exchange > unencrypted traffic. This can happen for example if the tunnel goes down > and there's nothing to block unencrypted traffic. "auto=route" is a good > idea, as is blocking everything besides ESP with iptables. > If you do that, nothing will work, because decapsulated packets are > subject to iptables rules, too. > You're right, I hadn't considered a policy based tunnel. All of the tunnels I administer use dynamic routing and a vti: the rules that block unencrypted traffic apply only to the ethernet interface. (Incidentally the tunnel interface makes packet captures easier.) "auto=route" should work regardless.
