2013-03-11 18:20:33 +01:00
|
|
|
# GRE + IPsec on Debian based distros
|
|
|
|
|
|
|
|
* Install racoon from ipsec-tools.
|
|
|
|
* Define an IPsec security policy in /etc/ipsec-tools.conf
|
|
|
|
* Load the IPsec security policy into the IPsec security policy database.
|
|
|
|
* Configure the racoon daemon.
|
|
|
|
* Configure a GRE tunnel.
|
|
|
|
|
|
|
|
## Used resources in this example:
|
|
|
|
* tunnel endpoints: 1.2.3.4 and 5.6.7.8
|
|
|
|
* internal IPv4 addresses: 10.0.0.1 and 10.0.0.2
|
|
|
|
|
|
|
|
## Define an IPsec security policy
|
|
|
|
Example policy on 1.2.3.4:
|
|
|
|
```
|
|
|
|
#!/usr/sbin/setkey -f
|
|
|
|
spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;
|
|
|
|
spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require;
|
2013-03-11 18:23:07 +01:00
|
|
|
```
|
2013-03-11 18:32:14 +01:00
|
|
|
Change the direction on 5.6.7.8.
|
2013-03-11 18:23:07 +01:00
|
|
|
|
|
|
|
## Load the IPsec security policy into the IPsec security policy database
|
|
|
|
Load the policy with the setkey command.
|
|
|
|
```
|
|
|
|
setkey -f /etc/ipsec-tools.conf
|
|
|
|
```
|
|
|
|
Afterward check the policy database with:
|
|
|
|
```
|
|
|
|
setkey -DP
|
|
|
|
```
|
2013-03-11 18:32:14 +01:00
|
|
|
|
|
|
|
## Configure the racoon daemon
|
2013-03-11 18:35:37 +01:00
|
|
|
An example /etc/racoon/racoon.conf.
|
2013-03-11 18:32:14 +01:00
|
|
|
```
|
|
|
|
path pre_shared_key "/etc/racoon/psk.txt";
|
|
|
|
path certificate "/etc/racoon/certs";
|
|
|
|
log info;
|
|
|
|
|
|
|
|
listen {
|
|
|
|
# replace with local tunnel endpoint
|
|
|
|
isakmp 1.2.3.4 [500];
|
|
|
|
isakmp_natt 1.2.3.4 [4500];
|
|
|
|
}
|
|
|
|
|
|
|
|
# replace with remote tunnel endpoint
|
|
|
|
remote 5.6.7.8 [500] {
|
|
|
|
exchange_mode main;
|
|
|
|
proposal_check strict;
|
|
|
|
my_identifier asn1dn;
|
|
|
|
peers_identifier asn1dn;
|
|
|
|
lifetime time 1 hour;
|
|
|
|
certificate_type x509 "local.crt" "local.key";
|
|
|
|
peers_certfile x509 "remote.crt";
|
|
|
|
ca_type x509 "ca.crt";
|
|
|
|
verify_cert on;
|
|
|
|
send_cert off;
|
|
|
|
send_cr off;
|
|
|
|
|
|
|
|
proposal {
|
|
|
|
encryption_algorithm aes 256;
|
|
|
|
hash_algorithm sha256;
|
|
|
|
authentication_method rsasig;
|
|
|
|
dh_group modp4096;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2013-03-11 21:55:56 +01:00
|
|
|
# local tunnel endpoint, GRE ip protocol number, remote tunnel endpoint, GRE ip protocol number
|
2013-03-11 21:49:07 +01:00
|
|
|
sainfo address 1.2.3.4 47 address 5.6.7.8 47 {
|
2013-03-11 18:32:14 +01:00
|
|
|
pfs_group modp4096;
|
|
|
|
lifetime time 1 hour;
|
|
|
|
encryption_algorithm aes 256;
|
|
|
|
authentication_algorithm hmac_sha1;
|
|
|
|
compression_algorithm deflate;
|
2013-03-11 18:35:37 +01:00
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
## Configure a GRE tunnel
|
|
|
|
Add this to /etc/network/interfaces:
|
|
|
|
```
|
2013-03-18 22:21:23 +01:00
|
|
|
auto gre1
|
|
|
|
iface gre1 inet static
|
2013-03-11 18:35:37 +01:00
|
|
|
address 10.0.0.1
|
|
|
|
netmask 255.255.255.255
|
2013-03-18 22:21:23 +01:00
|
|
|
up ifconfig gre1 multicast
|
|
|
|
pre-up ip tunnel add gre1 mode gre local 1.2.3.4 remote 5.6.7.8 ttl 255
|
2013-03-11 18:35:37 +01:00
|
|
|
pointtopoint 10.0.0.2
|
2013-03-18 22:21:23 +01:00
|
|
|
post-down ip tunnel del gre1
|
2013-03-11 18:35:37 +01:00
|
|
|
```
|