2013-01-02 21:49:44 +01:00
# GRE+IPsec
2013-01-02 21:38:08 +01:00
2013-01-02 21:49:44 +01:00
## Why GRE?
* [GRE ](https://en.wikipedia.org/wiki/GRE ) provides universal encapsulation on top of IP.
* It has a smaller header than UDP.
* GRE tunnels are processed in-kernel on *nix systems.
* It's supported by hardware routers.
2013-01-02 21:38:08 +01:00
2013-01-02 21:49:44 +01:00
## Why IPsec?
* GRE provides no encryption and authentication of it's own.
* IPsec in implemented in-kernel on FreeBSD and Linux with multithreaded encryption resulting in a lower latency than userspace VPN daemons using tun/tap interfaces.
2013-01-02 21:38:08 +01:00
2013-01-02 21:49:44 +01:00
## Problems with GRE
* GRE is defined directly on top of IP.
* Broken NAPT implementations will stop GRE tunnels.
2013-01-02 21:38:08 +01:00
2013-01-02 21:49:44 +01:00
## Problems with IPsec
* ESP is defined directly on top of IP.
* NAT support was added as an aftertought to IPsec.
* IKEv1 is too complex.
* Racoon has useless error messages.
2013-01-02 21:38:08 +01:00
2013-01-02 21:49:44 +01:00
## Requirements for sane operation
2013-02-11 13:34:28 +01:00
* Identify your peers by X.509 certificates
* At least one peer should operate his own (Sub-)CA.
2013-01-02 21:38:08 +01:00
2013-01-02 21:49:44 +01:00
## How to configure a GRE tunnel on FreeBSD
2013-02-28 17:59:11 +01:00
See [GRE on FreeBSD ](gre-on-freebsd ).
2013-01-02 21:49:44 +01:00
2013-02-28 17:59:11 +01:00
## How to configure IPsec on FreeBSD
2013-11-15 00:23:01 +01:00
See [IPsec on FreeBSD ](ipsec-on-freebsd ).
## How to configure GRE + IPsec on Debian
See [GRE + IPsec on Debian ](gre-plus-ipsec-debian ).
