When using Ike2 with mode change, it is quite complicated to avoid LAN leaking to the internet when the IPsec peer is down.
This is because the dynamic src-nat rule disappear when the peer is down, causing the LAN traffic to be routed unencrypted to Internet through the default route gateway.
The workaround is to create a new default route with policy routing for the LAN traffic needing encryption before reaching Internet, and use a bridge without port as the gateway.
Like this when the peer is down, the LAN traffic cannot be routed to Internet because there is no output port in the bridge.
When the peer is up, the LAN traffic is routed to the bridge, then go to the MPLS check then IP check, where it enter IP routing and go to postrouting. At the exit of postrouting it is catched by the IPsec policy and sent to Internet with a new routing decision after IPsec encryption.
This is only like this that LAN traffic can go out of the the blackhole bridge gateway.
The drawback of this solution is that there is no ICMP network unreachable sent back, then users need to wait for an HTTP session timeout for example before to know there is a connection problem.
It would be simpler to have an option in the Mode-config setup to create a dynamic firewall filter rule when the peer is down,
This could be a dynamic rule in Raw prerouting, with a jump to a settable chain, so that we can kill leaking traffic here. Or in forward so that we can use a reject action with ICMP network unreachable for example.
This seems important to me because :
- the workaround is not evident to find (except perhaps for very advanced users)
- this kind of IPsec setup will produce LAN leaks when IPsec peer is down
- this is even more important because an IPsec peer down will silently reroute the LAN traffic unencrypted to the default Internet gateway. That can translate to a security disaster.