dn42

GRE+IPsec

Why GRE?

  • GRE provides universal encapsulation on top of IP.
  • It has a smaller header than UDP.
  • GRE tunnels are processed in-kernel on *nix systems.
  • It's supported by hardware routers.

Why IPsec?

  • GRE provides no encryption and authentication of it's own.
  • IPsec in implemented in-kernel on FreeBSD and Linux with multithreaded encryption resulting in a lower latency than userspace VPN daemons using tun/tap interfaces.

Problems with GRE

  • GRE is defined directly on top of IP.
  • Broken NAPT implementations will stop GRE tunnels.

Problems with IPsec

  • ESP is defined directly on top of IP.
  • NAT support was added as an aftertought to IPsec.
  • IKEv1 is too complex.
  • Racoon has useless error messages.

Requirements for sane operation

  • Identify your peers by X.509 certificates
  • At least one peer should operate his own (Sub-)CA.

How to configure a GRE tunnel on FreeBSD

See GRE on FreeBSD.

How to configure IPsec on FreeBSD

See IPsec on FreeBSD.

How to configure GRE + IPsec on Debian

See GRE + IPsec on Debian.

Hosted by: BURBLE-MNT, GRMML-MNT, XUU-MNT, JAN-MNT, LARE-MNT, SARU-MNT, ANDROW-MNT, MARK22K-MNT | Accessible via: dn42, dn42.dev, dn42.eu, wiki.dn42.us, dn42.de (IPv6-only), dn42.cc (wiki-ng), dn42.wiki, dn42.pp.ua, dn42.obl.ong