16175e60869e30a467cb38463d2aea696b6bc823
howto/GRE-plus-IPsec-Debian.md
... | ... | @@ -1,89 +0,0 @@ |
1 | -# GRE + IPsec on Debian based distros |
|
2 | - |
|
3 | -* Install racoon from ipsec-tools. |
|
4 | -* Define an IPsec security policy in /etc/ipsec-tools.conf |
|
5 | -* Load the IPsec security policy into the IPsec security policy database. |
|
6 | -* Configure the racoon daemon. |
|
7 | -* Configure a GRE tunnel. |
|
8 | - |
|
9 | -## Used resources in this example: |
|
10 | -* tunnel endpoints: 1.2.3.4 and 5.6.7.8 |
|
11 | -* internal IPv4 addresses: 10.0.0.1 and 10.0.0.2 |
|
12 | - |
|
13 | -## Define an IPsec security policy |
|
14 | -Example policy on 1.2.3.4: |
|
15 | -```bash |
|
16 | -#!/usr/sbin/setkey -f |
|
17 | -spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require; |
|
18 | -spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require; |
|
19 | -``` |
|
20 | -Change the direction on 5.6.7.8. |
|
21 | - |
|
22 | -## Load the IPsec security policy into the IPsec security policy database |
|
23 | -Load the policy with the setkey command. |
|
24 | -``` |
|
25 | -setkey -f /etc/ipsec-tools.conf |
|
26 | -``` |
|
27 | -Afterward check the policy database with: |
|
28 | -``` |
|
29 | -setkey -DP |
|
30 | -``` |
|
31 | - |
|
32 | -## Configure the racoon daemon |
|
33 | -An example /etc/racoon/racoon.conf. |
|
34 | -``` |
|
35 | -path pre_shared_key "/etc/racoon/psk.txt"; |
|
36 | -path certificate "/etc/racoon/certs"; |
|
37 | -log info; |
|
38 | - |
|
39 | -listen { |
|
40 | - # replace with local tunnel endpoint |
|
41 | - isakmp 1.2.3.4 [500]; |
|
42 | - isakmp_natt 1.2.3.4 [4500]; |
|
43 | -} |
|
44 | - |
|
45 | -# replace with remote tunnel endpoint |
|
46 | -remote 5.6.7.8 [500] { |
|
47 | - exchange_mode main; |
|
48 | - proposal_check strict; |
|
49 | - my_identifier asn1dn; |
|
50 | - peers_identifier asn1dn; |
|
51 | - lifetime time 1 hour; |
|
52 | - certificate_type x509 "local.crt" "local.key"; |
|
53 | - peers_certfile x509 "remote.crt"; |
|
54 | - ca_type x509 "ca.crt"; |
|
55 | - verify_cert on; |
|
56 | - send_cert off; |
|
57 | - send_cr off; |
|
58 | - |
|
59 | - proposal { |
|
60 | - encryption_algorithm aes 256; |
|
61 | - hash_algorithm sha256; |
|
62 | - authentication_method rsasig; |
|
63 | - dh_group modp4096; |
|
64 | - } |
|
65 | -} |
|
66 | - |
|
67 | -# local tunnel endpoint, GRE ip protocol number, remote tunnel endpoint, GRE ip protocol number |
|
68 | -sainfo address 1.2.3.4 47 address 5.6.7.8 47 { |
|
69 | - pfs_group modp4096; |
|
70 | - lifetime time 1 hour; |
|
71 | - encryption_algorithm aes 256; |
|
72 | - authentication_algorithm hmac_sha1; |
|
73 | - compression_algorithm deflate; |
|
74 | -} |
|
75 | -``` |
|
76 | - |
|
77 | -## Configure a GRE tunnel |
|
78 | -Add this to /etc/network/interfaces: |
|
79 | -``` |
|
80 | -auto gre1 |
|
81 | -iface gre1 inet tunnel |
|
82 | - mode gre |
|
83 | - netmask 255.255.255.255 |
|
84 | - address 10.0.0.1 |
|
85 | - dstaddr 10.0.0.2 |
|
86 | - endpoint 5.6.7.8 |
|
87 | - local 1.2.3.4 |
|
88 | - ttl 255 |
|
89 | -``` |
howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian.md
... | ... | @@ -0,0 +1,89 @@ |
1 | +# GRE + IPsec on Debian based distros |
|
2 | + |
|
3 | +* Install racoon from ipsec-tools. |
|
4 | +* Define an IPsec security policy in /etc/ipsec-tools.conf |
|
5 | +* Load the IPsec security policy into the IPsec security policy database. |
|
6 | +* Configure the racoon daemon. |
|
7 | +* Configure a GRE tunnel. |
|
8 | + |
|
9 | +## Used resources in this example: |
|
10 | +* tunnel endpoints: 1.2.3.4 and 5.6.7.8 |
|
11 | +* internal IPv4 addresses: 10.0.0.1 and 10.0.0.2 |
|
12 | + |
|
13 | +## Define an IPsec security policy |
|
14 | +Example policy on 1.2.3.4: |
|
15 | +```bash |
|
16 | +#!/usr/sbin/setkey -f |
|
17 | +spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require; |
|
18 | +spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require; |
|
19 | +``` |
|
20 | +Change the direction on 5.6.7.8. |
|
21 | + |
|
22 | +## Load the IPsec security policy into the IPsec security policy database |
|
23 | +Load the policy with the setkey command. |
|
24 | +``` |
|
25 | +setkey -f /etc/ipsec-tools.conf |
|
26 | +``` |
|
27 | +Afterward check the policy database with: |
|
28 | +``` |
|
29 | +setkey -DP |
|
30 | +``` |
|
31 | + |
|
32 | +## Configure the racoon daemon |
|
33 | +An example /etc/racoon/racoon.conf. |
|
34 | +``` |
|
35 | +path pre_shared_key "/etc/racoon/psk.txt"; |
|
36 | +path certificate "/etc/racoon/certs"; |
|
37 | +log info; |
|
38 | + |
|
39 | +listen { |
|
40 | + # replace with local tunnel endpoint |
|
41 | + isakmp 1.2.3.4 [500]; |
|
42 | + isakmp_natt 1.2.3.4 [4500]; |
|
43 | +} |
|
44 | + |
|
45 | +# replace with remote tunnel endpoint |
|
46 | +remote 5.6.7.8 [500] { |
|
47 | + exchange_mode main; |
|
48 | + proposal_check strict; |
|
49 | + my_identifier asn1dn; |
|
50 | + peers_identifier asn1dn; |
|
51 | + lifetime time 1 hour; |
|
52 | + certificate_type x509 "local.crt" "local.key"; |
|
53 | + peers_certfile x509 "remote.crt"; |
|
54 | + ca_type x509 "ca.crt"; |
|
55 | + verify_cert on; |
|
56 | + send_cert off; |
|
57 | + send_cr off; |
|
58 | + |
|
59 | + proposal { |
|
60 | + encryption_algorithm aes 256; |
|
61 | + hash_algorithm sha256; |
|
62 | + authentication_method rsasig; |
|
63 | + dh_group modp4096; |
|
64 | + } |
|
65 | +} |
|
66 | + |
|
67 | +# local tunnel endpoint, GRE ip protocol number, remote tunnel endpoint, GRE ip protocol number |
|
68 | +sainfo address 1.2.3.4 47 address 5.6.7.8 47 { |
|
69 | + pfs_group modp4096; |
|
70 | + lifetime time 1 hour; |
|
71 | + encryption_algorithm aes 256; |
|
72 | + authentication_algorithm hmac_sha1; |
|
73 | + compression_algorithm deflate; |
|
74 | +} |
|
75 | +``` |
|
76 | + |
|
77 | +## Configure a GRE tunnel |
|
78 | +Add this to /etc/network/interfaces: |
|
79 | +``` |
|
80 | +auto gre1 |
|
81 | +iface gre1 inet tunnel |
|
82 | + mode gre |
|
83 | + netmask 255.255.255.255 |
|
84 | + address 10.0.0.1 |
|
85 | + dstaddr 10.0.0.2 |
|
86 | + endpoint 5.6.7.8 |
|
87 | + local 1.2.3.4 |
|
88 | + ttl 255 |
|
89 | +``` |