1
mirror of https://git.dn42.dev/wiki/wiki.git synced 2024-12-14 01:49:55 +01:00
wiki/gre-plus-ipsec-debian.md

89 lines
2.3 KiB
Markdown
Raw Normal View History

# GRE + IPsec on Debian based distros
* Install racoon from ipsec-tools.
* Define an IPsec security policy in /etc/ipsec-tools.conf
* Load the IPsec security policy into the IPsec security policy database.
* Configure the racoon daemon.
* Configure a GRE tunnel.
## Used resources in this example:
* tunnel endpoints: 1.2.3.4 and 5.6.7.8
* internal IPv4 addresses: 10.0.0.1 and 10.0.0.2
## Define an IPsec security policy
Example policy on 1.2.3.4:
```
#!/usr/sbin/setkey -f
spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;
spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require;
```
Change the direction on 5.6.7.8.
## Load the IPsec security policy into the IPsec security policy database
Load the policy with the setkey command.
```
setkey -f /etc/ipsec-tools.conf
```
Afterward check the policy database with:
```
setkey -DP
```
## Configure the racoon daemon
An example /etc/racoon/racoon.conf.
```
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
log info;
listen {
# replace with local tunnel endpoint
isakmp 1.2.3.4 [500];
isakmp_natt 1.2.3.4 [4500];
}
# replace with remote tunnel endpoint
remote 5.6.7.8 [500] {
exchange_mode main;
proposal_check strict;
my_identifier asn1dn;
peers_identifier asn1dn;
lifetime time 1 hour;
certificate_type x509 "local.crt" "local.key";
peers_certfile x509 "remote.crt";
ca_type x509 "ca.crt";
verify_cert on;
send_cert off;
send_cr off;
proposal {
encryption_algorithm aes 256;
hash_algorithm sha256;
authentication_method rsasig;
dh_group modp4096;
}
}
2013-03-11 21:55:56 +01:00
# local tunnel endpoint, GRE ip protocol number, remote tunnel endpoint, GRE ip protocol number
sainfo address 1.2.3.4 47 address 5.6.7.8 47 {
pfs_group modp4096;
lifetime time 1 hour;
encryption_algorithm aes 256;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
```
## Configure a GRE tunnel
Add this to /etc/network/interfaces:
```
auto gre1
iface gre1 inet static
address 10.0.0.1
netmask 255.255.255.255
up ifconfig gre1 multicast
pre-up ip tunnel add gre1 mode gre local 1.2.3.4 remote 5.6.7.8 ttl 255
pointtopoint 10.0.0.2
post-down ip tunnel del gre1
```