wiki/howto/GRE-plus-IPsec-Debian.md

# GRE + IPsec on Debian based distros

* Install racoon from ipsec-tools.
* Define an IPsec security policy in /etc/ipsec-tools.conf
* Load the IPsec security policy into the IPsec security policy database.
* Configure the racoon daemon.
* Configure a GRE tunnel.

## Used resources in this example:
* tunnel endpoints: 1.2.3.4 and 5.6.7.8
* internal IPv4 addresses: 10.0.0.1 and 10.0.0.2

## Define an IPsec security policy
Example policy on 1.2.3.4:
```bash
#!/usr/sbin/setkey -f
spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;
spdadd 5.6.7.8 1.2.3.4 gre -P in  ipsec esp/transport//require;
```
Change the direction on 5.6.7.8.

## Load the IPsec security policy into the IPsec security policy database
Load the policy with the setkey command.
```
setkey -f /etc/ipsec-tools.conf
```
Afterward check the policy database with:
```
setkey -DP
```

## Configure the racoon daemon
An example /etc/racoon/racoon.conf.
```
path pre_shared_key "/etc/racoon/psk.txt";
path certificate    "/etc/racoon/certs";
log info;

listen {
  # replace with local tunnel endpoint
  isakmp      1.2.3.4 [500];
  isakmp_natt 1.2.3.4 [4500];
}

# replace with remote tunnel endpoint
remote 5.6.7.8 [500] {
  exchange_mode    main;
  proposal_check   strict;
  my_identifier    asn1dn;
  peers_identifier asn1dn;
  lifetime         time 1 hour;
  certificate_type x509 "local.crt" "local.key";
  peers_certfile   x509 "remote.crt";
  ca_type          x509 "ca.crt";
  verify_cert      on;
  send_cert        off;
  send_cr          off;
  
  proposal {
    encryption_algorithm  aes 256;
    hash_algorithm        sha256;
    authentication_method rsasig;
    dh_group              modp4096;
  }
}

# local tunnel endpoint, GRE ip protocol number, remote tunnel endpoint, GRE ip protocol number
sainfo address 1.2.3.4 47 address 5.6.7.8 47 {
  pfs_group                modp4096;
  lifetime                 time 1 hour;
  encryption_algorithm     aes 256;
  authentication_algorithm hmac_sha1;
  compression_algorithm    deflate;
}
```

## Configure a GRE tunnel
Add this to /etc/network/interfaces:
```
auto gre1
iface gre1 inet tunnel
  mode gre
  netmask 255.255.255.255
  address 10.0.0.1
  dstaddr 10.0.0.2
  endpoint 5.6.7.8
  local 1.2.3.4
  ttl 255
```
Created gre plus ipsec debian (markdown) 2013-03-11 18:20:33 +01:00			`# GRE + IPsec on Debian based distros`

			`* Install racoon from ipsec-tools.`
			`* Define an IPsec security policy in /etc/ipsec-tools.conf`
			`* Load the IPsec security policy into the IPsec security policy database.`
			`* Configure the racoon daemon.`
			`* Configure a GRE tunnel.`

			`## Used resources in this example:`
			`* tunnel endpoints: 1.2.3.4 and 5.6.7.8`
			`* internal IPv4 addresses: 10.0.0.1 and 10.0.0.2`

			`## Define an IPsec security policy`
			`Example policy on 1.2.3.4:`
Updated gre-plus-ipsec-debian (markdown) 2013-11-15 00:16:13 +01:00			```bash
Created gre plus ipsec debian (markdown) 2013-03-11 18:20:33 +01:00			`#!/usr/sbin/setkey -f`
			`spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;`
			`spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require;`
Updated gre-plus-ipsec-debian (markdown) 2013-03-11 18:23:07 +01:00			```
Updated gre-plus-ipsec-debian (markdown) 2013-03-11 18:32:14 +01:00			`Change the direction on 5.6.7.8.`
Updated gre-plus-ipsec-debian (markdown) 2013-03-11 18:23:07 +01:00
			`## Load the IPsec security policy into the IPsec security policy database`
			`Load the policy with the setkey command.`
			```
			`setkey -f /etc/ipsec-tools.conf`
			```
			`Afterward check the policy database with:`
			```
			`setkey -DP`
			```
Updated gre-plus-ipsec-debian (markdown) 2013-03-11 18:32:14 +01:00
			`## Configure the racoon daemon`
Updated gre-plus-ipsec-debian (markdown) 2013-03-11 18:35:37 +01:00			`An example /etc/racoon/racoon.conf.`
Updated gre-plus-ipsec-debian (markdown) 2013-03-11 18:32:14 +01:00			```
			`path pre_shared_key "/etc/racoon/psk.txt";`
			`path certificate "/etc/racoon/certs";`
			`log info;`

			`listen {`
			`# replace with local tunnel endpoint`
			`isakmp 1.2.3.4 [500];`
			`isakmp_natt 1.2.3.4 [4500];`
			`}`

			`# replace with remote tunnel endpoint`
			`remote 5.6.7.8 [500] {`
			`exchange_mode main;`
			`proposal_check strict;`
			`my_identifier asn1dn;`
			`peers_identifier asn1dn;`
			`lifetime time 1 hour;`
			`certificate_type x509 "local.crt" "local.key";`
			`peers_certfile x509 "remote.crt";`
			`ca_type x509 "ca.crt";`
			`verify_cert on;`
			`send_cert off;`
			`send_cr off;`

			`proposal {`
			`encryption_algorithm aes 256;`
			`hash_algorithm sha256;`
			`authentication_method rsasig;`
			`dh_group modp4096;`
			`}`
			`}`

fix comment too 2013-03-11 21:55:56 +01:00			`# local tunnel endpoint, GRE ip protocol number, remote tunnel endpoint, GRE ip protocol number`
Updated gre-plus-ipsec-debian (markdown) 2013-03-11 21:49:07 +01:00			`sainfo address 1.2.3.4 47 address 5.6.7.8 47 {`
Updated gre-plus-ipsec-debian (markdown) 2013-03-11 18:32:14 +01:00			`pfs_group modp4096;`
			`lifetime time 1 hour;`
			`encryption_algorithm aes 256;`
			`authentication_algorithm hmac_sha1;`
			`compression_algorithm deflate;`
Updated gre-plus-ipsec-debian (markdown) 2013-03-11 18:35:37 +01:00			`}`
			```

			`## Configure a GRE tunnel`
			`Add this to /etc/network/interfaces:`
			```
Updated gre-plus-ipsec-debian (markdown) 2013-03-18 22:21:23 +01:00			`auto gre1`
typo gefixt 2013-09-14 02:28:09 +02:00			`iface gre1 inet tunnel`
unter debian gre tunnels besser mit tunnel als mit static konfigurieren 2013-09-14 02:27:13 +02:00			`mode gre`
Updated gre-plus-ipsec-debian (markdown) 2013-03-11 18:35:37 +01:00			`netmask 255.255.255.255`
unter debian gre tunnels besser mit tunnel als mit static konfigurieren 2013-09-14 02:27:13 +02:00			`address 10.0.0.1`
			`dstaddr 10.0.0.2`
			`endpoint 5.6.7.8`
			`local 1.2.3.4`
			`ttl 255`
Updated gre-plus-ipsec-debian (markdown) 2013-03-11 18:35:37 +01:00			```