Changes in e4f4a18: Renamed gre plus ipsec debian to /howto/gre plus ipsec debian

gre-plus-ipsec-debian.md

@@ -1,89 +0,0 @@

-# GRE + IPsec on Debian based distros

-

-* Install racoon from ipsec-tools.

-* Define an IPsec security policy in /etc/ipsec-tools.conf

-* Load the IPsec security policy into the IPsec security policy database.

-* Configure the racoon daemon.

-* Configure a GRE tunnel.

-

-## Used resources in this example:

-* tunnel endpoints: 1.2.3.4 and 5.6.7.8

-* internal IPv4 addresses: 10.0.0.1 and 10.0.0.2

-

-## Define an IPsec security policy

-Example policy on 1.2.3.4:

-```bash

-#!/usr/sbin/setkey -f

-spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;

-spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require;

-```

-Change the direction on 5.6.7.8.

-

-## Load the IPsec security policy into the IPsec security policy database

-Load the policy with the setkey command.

-```

-setkey -f /etc/ipsec-tools.conf

-```

-Afterward check the policy database with:

-```

-setkey -DP

-```

-

-## Configure the racoon daemon

-An example /etc/racoon/racoon.conf.

-```

-path pre_shared_key "/etc/racoon/psk.txt";

-path certificate "/etc/racoon/certs";

-log info;

-

-listen {

- # replace with local tunnel endpoint

- isakmp 1.2.3.4 [500];

- isakmp_natt 1.2.3.4 [4500];

-}

-

-# replace with remote tunnel endpoint

-remote 5.6.7.8 [500] {

- exchange_mode main;

- proposal_check strict;

- my_identifier asn1dn;

- peers_identifier asn1dn;

- lifetime time 1 hour;

- certificate_type x509 "local.crt" "local.key";

- peers_certfile x509 "remote.crt";

- ca_type x509 "ca.crt";

- verify_cert on;

- send_cert off;

- send_cr off;

- 

- proposal {

- encryption_algorithm aes 256;

- hash_algorithm sha256;

- authentication_method rsasig;

- dh_group modp4096;

- }

-}

-

-# local tunnel endpoint, GRE ip protocol number, remote tunnel endpoint, GRE ip protocol number

-sainfo address 1.2.3.4 47 address 5.6.7.8 47 {

- pfs_group modp4096;

- lifetime time 1 hour;

- encryption_algorithm aes 256;

- authentication_algorithm hmac_sha1;

- compression_algorithm deflate;

-}

-```

-

-## Configure a GRE tunnel

-Add this to /etc/network/interfaces:

-```

-auto gre1

-iface gre1 inet tunnel

- mode gre

- netmask 255.255.255.255

- address 10.0.0.1

- dstaddr 10.0.0.2

- endpoint 5.6.7.8

- local 1.2.3.4

- ttl 255

-```

howto/gre-plus-ipsec-debian.md

@@ -0,0 +1,89 @@

+# GRE + IPsec on Debian based distros

+

+* Install racoon from ipsec-tools.

+* Define an IPsec security policy in /etc/ipsec-tools.conf

+* Load the IPsec security policy into the IPsec security policy database.

+* Configure the racoon daemon.

+* Configure a GRE tunnel.

+

+## Used resources in this example:

+* tunnel endpoints: 1.2.3.4 and 5.6.7.8

+* internal IPv4 addresses: 10.0.0.1 and 10.0.0.2

+

+## Define an IPsec security policy

+Example policy on 1.2.3.4:

+```bash

+#!/usr/sbin/setkey -f

+spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;

+spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require;

+```

+Change the direction on 5.6.7.8.

+

+## Load the IPsec security policy into the IPsec security policy database

+Load the policy with the setkey command.

+```

+setkey -f /etc/ipsec-tools.conf

+```

+Afterward check the policy database with:

+```

+setkey -DP

+```

+

+## Configure the racoon daemon

+An example /etc/racoon/racoon.conf.

+```

+path pre_shared_key "/etc/racoon/psk.txt";

+path certificate "/etc/racoon/certs";

+log info;

+

+listen {

+ # replace with local tunnel endpoint

+ isakmp 1.2.3.4 [500];

+ isakmp_natt 1.2.3.4 [4500];

+}

+

+# replace with remote tunnel endpoint

+remote 5.6.7.8 [500] {

+ exchange_mode main;

+ proposal_check strict;

+ my_identifier asn1dn;

+ peers_identifier asn1dn;

+ lifetime time 1 hour;

+ certificate_type x509 "local.crt" "local.key";

+ peers_certfile x509 "remote.crt";

+ ca_type x509 "ca.crt";

+ verify_cert on;

+ send_cert off;

+ send_cr off;

+ 

+ proposal {

+ encryption_algorithm aes 256;

+ hash_algorithm sha256;

+ authentication_method rsasig;

+ dh_group modp4096;

+ }

+}

+

+# local tunnel endpoint, GRE ip protocol number, remote tunnel endpoint, GRE ip protocol number

+sainfo address 1.2.3.4 47 address 5.6.7.8 47 {

+ pfs_group modp4096;

+ lifetime time 1 hour;

+ encryption_algorithm aes 256;

+ authentication_algorithm hmac_sha1;

+ compression_algorithm deflate;

+}

+```

+

+## Configure a GRE tunnel

+Add this to /etc/network/interfaces:

+```

+auto gre1

+iface gre1 inet tunnel

+ mode gre

+ netmask 255.255.255.255

+ address 10.0.0.1

+ dstaddr 10.0.0.2

+ endpoint 5.6.7.8

+ local 1.2.3.4

+ ttl 255

+```

...	...	@@ -1,89 +0,0 @@
1		-# GRE + IPsec on Debian based distros
2		-
3		-* Install racoon from ipsec-tools.
4		-* Define an IPsec security policy in /etc/ipsec-tools.conf
5		-* Load the IPsec security policy into the IPsec security policy database.
6		-* Configure the racoon daemon.
7		-* Configure a GRE tunnel.
8		-
9		-## Used resources in this example:
10		-* tunnel endpoints: 1.2.3.4 and 5.6.7.8
11		-* internal IPv4 addresses: 10.0.0.1 and 10.0.0.2
12		-
13		-## Define an IPsec security policy
14		-Example policy on 1.2.3.4:
15		-```bash
16		-#!/usr/sbin/setkey -f
17		-spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;
18		-spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require;
19		-```
20		-Change the direction on 5.6.7.8.
21		-
22		-## Load the IPsec security policy into the IPsec security policy database
23		-Load the policy with the setkey command.
24		-```
25		-setkey -f /etc/ipsec-tools.conf
26		-```
27		-Afterward check the policy database with:
28		-```
29		-setkey -DP
30		-```
31		-
32		-## Configure the racoon daemon
33		-An example /etc/racoon/racoon.conf.
34		-```
35		-path pre_shared_key "/etc/racoon/psk.txt";
36		-path certificate "/etc/racoon/certs";
37		-log info;
38		-
39		-listen {
40		- # replace with local tunnel endpoint
41		- isakmp 1.2.3.4 [500];
42		- isakmp_natt 1.2.3.4 [4500];
43		-}
44		-
45		-# replace with remote tunnel endpoint
46		-remote 5.6.7.8 [500] {
47		- exchange_mode main;
48		- proposal_check strict;
49		- my_identifier asn1dn;
50		- peers_identifier asn1dn;
51		- lifetime time 1 hour;
52		- certificate_type x509 "local.crt" "local.key";
53		- peers_certfile x509 "remote.crt";
54		- ca_type x509 "ca.crt";
55		- verify_cert on;
56		- send_cert off;
57		- send_cr off;
58		-
59		- proposal {
60		- encryption_algorithm aes 256;
61		- hash_algorithm sha256;
62		- authentication_method rsasig;
63		- dh_group modp4096;
64		- }
65		-}
66		-
67		-# local tunnel endpoint, GRE ip protocol number, remote tunnel endpoint, GRE ip protocol number
68		-sainfo address 1.2.3.4 47 address 5.6.7.8 47 {
69		- pfs_group modp4096;
70		- lifetime time 1 hour;
71		- encryption_algorithm aes 256;
72		- authentication_algorithm hmac_sha1;
73		- compression_algorithm deflate;
74		-}
75		-```
76		-
77		-## Configure a GRE tunnel
78		-Add this to /etc/network/interfaces:
79		-```
80		-auto gre1
81		-iface gre1 inet tunnel
82		- mode gre
83		- netmask 255.255.255.255
84		- address 10.0.0.1
85		- dstaddr 10.0.0.2
86		- endpoint 5.6.7.8
87		- local 1.2.3.4
88		- ttl 255
89		-```

...	...	@@ -0,0 +1,89 @@
	1	+# GRE + IPsec on Debian based distros
	2	+
	3	+* Install racoon from ipsec-tools.
	4	+* Define an IPsec security policy in /etc/ipsec-tools.conf
	5	+* Load the IPsec security policy into the IPsec security policy database.
	6	+* Configure the racoon daemon.
	7	+* Configure a GRE tunnel.
	8	+
	9	+## Used resources in this example:
	10	+* tunnel endpoints: 1.2.3.4 and 5.6.7.8
	11	+* internal IPv4 addresses: 10.0.0.1 and 10.0.0.2
	12	+
	13	+## Define an IPsec security policy
	14	+Example policy on 1.2.3.4:
	15	+```bash
	16	+#!/usr/sbin/setkey -f
	17	+spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;
	18	+spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require;
	19	+```
	20	+Change the direction on 5.6.7.8.
	21	+
	22	+## Load the IPsec security policy into the IPsec security policy database
	23	+Load the policy with the setkey command.
	24	+```
	25	+setkey -f /etc/ipsec-tools.conf
	26	+```
	27	+Afterward check the policy database with:
	28	+```
	29	+setkey -DP
	30	+```
	31	+
	32	+## Configure the racoon daemon
	33	+An example /etc/racoon/racoon.conf.
	34	+```
	35	+path pre_shared_key "/etc/racoon/psk.txt";
	36	+path certificate "/etc/racoon/certs";
	37	+log info;
	38	+
	39	+listen {
	40	+ # replace with local tunnel endpoint
	41	+ isakmp 1.2.3.4 [500];
	42	+ isakmp_natt 1.2.3.4 [4500];
	43	+}
	44	+
	45	+# replace with remote tunnel endpoint
	46	+remote 5.6.7.8 [500] {
	47	+ exchange_mode main;
	48	+ proposal_check strict;
	49	+ my_identifier asn1dn;
	50	+ peers_identifier asn1dn;
	51	+ lifetime time 1 hour;
	52	+ certificate_type x509 "local.crt" "local.key";
	53	+ peers_certfile x509 "remote.crt";
	54	+ ca_type x509 "ca.crt";
	55	+ verify_cert on;
	56	+ send_cert off;
	57	+ send_cr off;
	58	+
	59	+ proposal {
	60	+ encryption_algorithm aes 256;
	61	+ hash_algorithm sha256;
	62	+ authentication_method rsasig;
	63	+ dh_group modp4096;
	64	+ }
	65	+}
	66	+
	67	+# local tunnel endpoint, GRE ip protocol number, remote tunnel endpoint, GRE ip protocol number
	68	+sainfo address 1.2.3.4 47 address 5.6.7.8 47 {
	69	+ pfs_group modp4096;
	70	+ lifetime time 1 hour;
	71	+ encryption_algorithm aes 256;
	72	+ authentication_algorithm hmac_sha1;
	73	+ compression_algorithm deflate;
	74	+}
	75	+```
	76	+
	77	+## Configure a GRE tunnel
	78	+Add this to /etc/network/interfaces:
	79	+```
	80	+auto gre1
	81	+iface gre1 inet tunnel
	82	+ mode gre
	83	+ netmask 255.255.255.255
	84	+ address 10.0.0.1
	85	+ dstaddr 10.0.0.2
	86	+ endpoint 5.6.7.8
	87	+ local 1.2.3.4
	88	+ ttl 255
	89	+```