Filtering traffic inside GRE tunnel

Gerald Vogt · ‎02-21-2009

On a IOS 1812 router I have a GRE tunnel (over IPSec) set up and it is working. The router connects to the internet through a PPPoE connection using Dialer0. The configuration of the tunnel is as follows:

interface Tunnel1

ip address 10.10.10.1 255.255.255.252

no ip route-cache cef

no ip route-cache

ip tcp adjust-mss 1420

no ip mroute-cache

keepalive 10 3

tunnel source Dialer0

tunnel destination 1.2.3.4

end

Now I want to set up a firewall to only accept incoming SMTP traffic and otherwise use the CBAC firewall to inspect all outgoing traffic.

So basically I add these two lines to the tunnel interface: (10.1.0.2 is the LAN IP address of the local SMTP server)

access-list 101 permit tcp any host 10.1.0.2 eq smtp log

access-list 101 deny ip any any log

ip inspect name tunnelfw tcp

ip inspect name tunnelfw udp

ip inspect name tunnelfw icmp

internet Tunnel 1

ip access-group 101 in

ip inspect tunnelfw out

end

This, however, does nothing at all. All traffic passes in both directions without problem through the tunnel. It is possible to connect from the remote side to any port on any IP address on the local LAN.

There is nothing logged, either, although the access-list has log statements.

If I add another access list for testing purposes to the out direction, I get all outgoing traffic properly logged:

access-list 102 permit ip any any log

interface Tunnel1

ip access-group 102 out

end

So it seems as if the GRE tunnel interface only allows outbound filtering but not inbound filtering. Is that true?

Even if I try this filtering:

access-list 101 deny ip any any log

internet Tunnel 1

ip access-group 101 in

end

All traffic passes in although the access list should filter all.

So how do I filter the traffic which is arriving from the remote side through my GRE tunnel?

paolo bevilacqua · ‎02-21-2009

Hi, you can filter outbound on your LAN interface.

Unrelated, recommend you re-enableIP CEF, remove ip tcp mss-adjust from tunnel, put on LAN if instead.

You can also enable encryption for gre with "tunnel protect" instead of separated ipsec config.

Gerald Vogt · ‎02-22-2009

Of course I could filter on the LAN interfaces. But I don't want to add filters on each of my VLANs to filter traffic which is arriving through a single tunnel interface. There must be a way how to set this up or a specific reason why it does not work...

Similar for "ip tcp mss-adjust": why would I put it on LAN interfaces instead on the interface which has the link which requires the setting? Moreover, other links have other mss-adjust settings. I cannot set multiple mss-adjust values on a single LAN interface unless I choose the lowest of all. But then I would use smaller values than necessary MSS values on some paths.

I think it is not possible to use "tunnel protection" with an ipsec profile. If I set this, it does no change anything and there won't be an IPSec SA. All Cisco examples I have found use it in conjunction with "tunnel mode ipsec" which creates a plain IPSec tunnel and not a GRE tunnel.

paolo bevilacqua · ‎02-22-2009

Sometime, things in IOS do not work as supposed. You can fight for having TAC acknowledge that inbound ACL must work on the IOS you're using, or you can try a different IOS, or use a workaround. My suggestion was for the latter, for the sake of practicality.

With regard to mss-adjust, consider that to be effective, if must be on the interface that is input to the 'client', typically the LAN interface. If you have it on tunnel side toward 'client', you might not need it at all, test.

Wrt to the different ways of doing gre over ipsec, there are many options, I was referring to 'tunnel protection' feature.See:

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/P2P_GRE_IPSec/P2P_GRE_IPSec.html

Gerald Vogt · ‎02-22-2009

I would only submit a TAC if I knew it was a bug. I thought there would be a few people here who filter the traffic which passes through a GRE tunnel and could tell if it should work or not.

Cisco documentation suggests "ip tcp mss-adjust" affects inbound and outbound traffic.

The link you have posted only once really mentions "tunnel protection" but never uses it in any of the examples.

paolo bevilacqua · ‎02-22-2009

Hi, yes inbout ACL should work.

I think I had tested that advertised TCP MSS is adjusted only for incoming packets on the interface where it's applied. You can verify by your own if you want. Note that on networks where mtu path discovery works, the command is not needed at all.

Here the reference for tunnel protection:

http://cisco.com/en/US/docs/ios/security/command/reference/sec_t2.html#wp1029882