☰

GRE-plus-IPsec

GRE+IPsec

Why GRE?

GRE provides universal encapsulation on top of IP.
It has a smaller header than UDP.
GRE tunnels are processed in-kernel on *nix systems.
It's supported by hardware routers.

Why IPsec?

GRE provides no encryption and authentication of it's own.
IPsec in implemented in-kernel on FreeBSD and Linux with multithreaded encryption resulting in a lower latency than userspace VPN daemons using tun/tap interfaces.

Problems with GRE

GRE is defined directly on top of IP.
Broken NAPT implementations will stop GRE tunnels.

Problems with IPsec

ESP is defined directly on top of IP.
NAT support was added as an aftertought to IPsec.
IKEv1 is too complex.
Racoon has useless error messages.

Requirements for sane operation

Identify your peers by X.509 certificates
At least one peer should operate his own (Sub-)CA.

How to configure a GRE tunnel on FreeBSD

See GRE on FreeBSD.

How to configure IPsec on FreeBSD

See IPsec on FreeBSD.

How to configure GRE + IPsec on Debian

See GRE + IPsec on Debian.

Hosted by: BURBLE-MNT, GRMML-MNT, XUU-MNT, JAN-MNT, LARE-MNT, SARU-MNT, ANDROW-MNT, MARK22K-MNT

Accessible via: dn42, dn42.dev, dn42.eu, wiki.dn42.us, dn42.de (IPv6-only), dn42.cc (wiki-ng), dn42.wiki, dn42.pp.ua, dn42.obl.ong