I have a gre tunnel configuration with OSPF tunneled through it.
One of the tunnel routes is on a very chatty link, and it seems to interfere (somehow) with IPSEC tunnels on other IPs (and other devices) in its subnet.
(Im really not seeing any other reason for other IPSEC tunnels on its subnet, constantly having their SAs expire, forcing the tunnels to start up again).
Is it possible to restrict traffic on the link to its tunnel partner, and their associated IPs? (Some sort of firewall deny rule)?
Ok I think I missed something really straight forward.
What I did was to create an address group, and a named firewall to default drop, all traffic, and a rule in the firewall to allow all traffic for only the IPs I wanted.
Is this sufficient?
group {
address-group ACCESS-TUNNELS {
address a.a.a.a
address b.b.b.1-b.b.b.2
address c.c.c.1
address c.c.c.2
}
}
name accessGreOspf-in {
default-action drop
rule 100 {
action accept
log enable
protocol all
source {
group {
address-group ACCESS-TUNNELS
}
}
}
}
ethernet eth7 {
address x.x.x.x/32
description "GRE Leg 1"
duplex auto
firewall {
in {
name accessGreOspf-in
}
local {
}
}
hw-id 52:54:00:ac:e2:66
speed auto
}
ethernet eth8 {
address y.y.y.y/30
description "GRE leg 2"
duplex auto
firewall {
in {
name accessGreOspf-in
}
local {
}
}
hw-id 52:54:00:10:3d:dc
speed auto
}
Sorry must have missed this.
Do I need to change anything in the rules for it to be in out direction?
And please can you help me understand why it needs to be in out?
traffic entering on eth7 or eth8 , destined for remote location, will leave on gre tun interface.
So the filter on eth7/eth8 in-direction can be moved to tun in out-direction out
The rules themselves don’t change, as source/destination aren’t reversed