RE: [Users] GRE over IPSec in 5 minutes

From: Ignat Vassilev (Ignat.Vassilev_at_optus.com.au)
Date: Tue Oct 15 2002 - 04:57:34 CEST

• Next message: Donald Teed: "Re: [Users] Simple test of S/WAN net-2-net on home network"
• Previous message: Carl Pålsson: "Re: [Users] simple subnet-subnet vpn; windows 2000 server and win98 browsing probelm"
• Maybe in reply to: Ken Bantoft: "RE: [Users] GRE over IPSec in 5 minutes"
• Next in thread: Mike Diehl: "Re: [Users] GRE over IPSec in 5 minutes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Thanks Ken

Ignat

-----Original Message-----
From: Ken Bantoft [mailto:ken_at_freeswan.ca]
Sent: Tuesday, 15 October 2002 10:54
To: Ignat Vassilev
Cc: 'Ken Bantoft'; Daniel Grob; users_at_lists.freeswan.org
Subject: RE: [Users] GRE over IPSec in 5 minutes

Well, start with your normal PSK ipsec.conf file, with only a single
tunnel defined (host to host) between your two gateways. Or use X.509, or
rsasig - it doesn't matter. Just get a tunnel between your two sites up,
host to host.

Get your SA established, and the eroute happy. In other words, *make sure
FreeS/WAN is working* before going any further. Otherwise, it's a pain to
debug.

Next up, it's GRE time:

$remote_ip = remote side of tunnel (what ipsec# IP is on remote GW is)
$local_ip = local IP address (what ipsec# IP is on is)

ip tunnel add site1tosite2 mode gre remote $remote_ip local $local_ip ttl
255
ip link set site1tosite2 up
ip addr add 192.168.0.1 dev site1tosite2
ip route add 192.168.0.2/32 dev site1tosite2

Remember to reverse this on the other side... eg:

ip tunnel add site1tosite2 mode gre remote $local_ip local $remote_ip ttl
255
ip link set site1tosite2 up
ip addr add 192.168.0.2 dev site1tosite2
ip route add 192.168.0.1/32 dev site1tosite2

Note: I'm using only 2 IP addresses... so it's a point to point style
link. Handy if you have lots of these and don't wanna waste /24's each
time.

Make sure it works - ping the other end of the GRE tunnel. Check iptables
rules so traffic won't be dropped. You've probably done this already if
you're adding this to a working FreeS/WAN setup :)

Then, route whatever you want over the tunnel - eg:

ip route add 172.16.0.0/16 via 192.168.0.2 dev site1tosite2

Or, do something completely insane (like me) and run zebra/bgpd on both
ends, and let them exchange routes dynamically. Never issue an "ip route
[add|delete]" command again!

And that's about it. The exercise of putting all of this into custom
_updown scripts is left to the reader :)

-- 
Ken Bantoft                The Unoffical FreeS/WAN Site:
ken_at_freeswan.ca            http://www.freeswan.ca
                           PGP Key: finger ken_at_bantoft.org
"We can factor the number 15 with quantum computers. We 
can also factor the number 15 with a dog trained to bark 
three times."       -- Robert Harley, 5/12/01, Sci.crypt
_______________________________________________
Users mailing list
Users_at_lists.freeswan.org
http://lists.freeswan.org/mailman/listinfo/users

• Next message: Donald Teed: "Re: [Users] Simple test of S/WAN net-2-net on home network"
• Previous message: Carl Pålsson: "Re: [Users] simple subnet-subnet vpn; windows 2000 server and win98 browsing probelm"
• Maybe in reply to: Ken Bantoft: "RE: [Users] GRE over IPSec in 5 minutes"
• Next in thread: Mike Diehl: "Re: [Users] GRE over IPSec in 5 minutes"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.5 : Wed Oct 16 2002 - 05:20:22 CEST