c2aff3fcdd9e07cffb8b7af538d19058a9eb8c95
howto/GRE-plus-IPsec.md
| ... | ... | @@ -0,0 +1,34 @@ |
| 1 | +# GRE+IPsec |
|
| 2 | + |
|
| 3 | +## Why GRE? |
|
| 4 | +* [GRE](https://en.wikipedia.org/wiki/GRE) provides universal encapsulation on top of IP. |
|
| 5 | +* It has a smaller header than UDP. |
|
| 6 | +* GRE tunnels are processed in-kernel on *nix systems. |
|
| 7 | +* It's supported by hardware routers. |
|
| 8 | + |
|
| 9 | +## Why IPsec? |
|
| 10 | +* GRE provides no encryption and authentication of it's own. |
|
| 11 | +* IPsec in implemented in-kernel on FreeBSD and Linux with multithreaded encryption resulting in a lower latency than userspace VPN daemons using tun/tap interfaces. |
|
| 12 | + |
|
| 13 | +## Problems with GRE |
|
| 14 | +* GRE is defined directly on top of IP. |
|
| 15 | +* Broken NAPT implementations will stop GRE tunnels. |
|
| 16 | + |
|
| 17 | +## Problems with IPsec |
|
| 18 | +* ESP is defined directly on top of IP. |
|
| 19 | +* NAT support was added as an aftertought to IPsec. |
|
| 20 | +* IKEv1 is too complex. |
|
| 21 | +* Racoon has useless error messages. |
|
| 22 | + |
|
| 23 | +## Requirements for sane operation |
|
| 24 | +* Identify your peers by X.509 certificates |
|
| 25 | +* At least one peer should operate his own (Sub-)CA. |
|
| 26 | + |
|
| 27 | +## How to configure a GRE tunnel on FreeBSD |
|
| 28 | +See [GRE on FreeBSD](gre-on-freebsd). |
|
| 29 | + |
|
| 30 | +## How to configure IPsec on FreeBSD |
|
| 31 | +See [IPsec on FreeBSD](ipsec-on-freebsd). |
|
| 32 | + |
|
| 33 | +## How to configure GRE + IPsec on Debian |
|
| 34 | +See [GRE + IPsec on Debian](gre-plus-ipsec-debian). |
|
| ... | ... | \ No newline at end of file |
howto/gre-plus-ipsec.md
| ... | ... | @@ -1,34 +0,0 @@ |
| 1 | -# GRE+IPsec |
|
| 2 | - |
|
| 3 | -## Why GRE? |
|
| 4 | -* [GRE](https://en.wikipedia.org/wiki/GRE) provides universal encapsulation on top of IP. |
|
| 5 | -* It has a smaller header than UDP. |
|
| 6 | -* GRE tunnels are processed in-kernel on *nix systems. |
|
| 7 | -* It's supported by hardware routers. |
|
| 8 | - |
|
| 9 | -## Why IPsec? |
|
| 10 | -* GRE provides no encryption and authentication of it's own. |
|
| 11 | -* IPsec in implemented in-kernel on FreeBSD and Linux with multithreaded encryption resulting in a lower latency than userspace VPN daemons using tun/tap interfaces. |
|
| 12 | - |
|
| 13 | -## Problems with GRE |
|
| 14 | -* GRE is defined directly on top of IP. |
|
| 15 | -* Broken NAPT implementations will stop GRE tunnels. |
|
| 16 | - |
|
| 17 | -## Problems with IPsec |
|
| 18 | -* ESP is defined directly on top of IP. |
|
| 19 | -* NAT support was added as an aftertought to IPsec. |
|
| 20 | -* IKEv1 is too complex. |
|
| 21 | -* Racoon has useless error messages. |
|
| 22 | - |
|
| 23 | -## Requirements for sane operation |
|
| 24 | -* Identify your peers by X.509 certificates |
|
| 25 | -* At least one peer should operate his own (Sub-)CA. |
|
| 26 | - |
|
| 27 | -## How to configure a GRE tunnel on FreeBSD |
|
| 28 | -See [GRE on FreeBSD](gre-on-freebsd). |
|
| 29 | - |
|
| 30 | -## How to configure IPsec on FreeBSD |
|
| 31 | -See [IPsec on FreeBSD](ipsec-on-freebsd). |
|
| 32 | - |
|
| 33 | -## How to configure GRE + IPsec on Debian |
|
| 34 | -See [GRE + IPsec on Debian](gre-plus-ipsec-debian). |
|
| ... | ... | \ No newline at end of file |