Now I wanted to create firewall rules that only allows ESP and UDP500 packets between these two peers, to make sure any non-encrypted packets doesn't leak on the untrusted side of the routers.
This was never a problem back on the old days when Linux was using KLIPS for IPsec which gave me ipsec0 interface which the tunnel traffic was sent and recieved on.
However I suspect ROS is using NETKEY where it seems like there are no virtual IPSec interfaces any longer. That means that in my case both the IPIP traffic generated by the router and the resulting ESP packets after encryption appears to be leaving on the same interface (Ether1).
I wanted to have three simple rules like:
Code: Select all
chain=output action=accept protocol=ipsec-esp out-interface=ether1
chain=output action=accept protocol=udp out-interface=ether1 dst-port=500
chain=output action=drop out-interface=ether1
So, how do I write a rule that stops unencrypted IPIP traffic from leaving the router on Ether1, while allowing the ESP traffic to leave?