mark22k
/
dn42-wiki
의 미러 https://codeberg.org/mark22k/dn42-wiki.git


			
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192
							<!DOCTYPE html>
<html lang="en">
    <head>
<meta charset="UTF-8">


<title>GRE+IPsec | dn42 wiki</title>

<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="robots" content="index, follow">
<meta name="keywords" content="dn42,wiki,routing,bgp">

<link rel="canonical" href="https://dn42.obl.ong/howto/GRE-plus-IPsec.html">
<link rel="icon" type="image/x-icon" href="/favicon.ico">
<link rel="shortcut icon" type="image/x-icon" href="/favicon.ico">

<link rel="author" type="text/html" href="/docs/people">

<link rel="stylesheet" href="/css/normalize.css">
<link rel="stylesheet" href="/css/simple.min.css">
<link rel="stylesheet" href="/css/style.css">
<link rel="stylesheet" href="/css/menu.css">


</head>
    
    <body>

        <header>


<b>dn42 wiki / GRE+IPsec</b>

<div id="dn42_header">
    
    <p><a href="/"><img src="/dn42.png" alt="dn42" /></a></p>

</div>
</header>

        <main>
            <h1 id="greipsec">GRE+IPsec</h1>

<h2 id="why-gre">Why GRE?</h2>
<ul>
  <li><a href="https://en.wikipedia.org/wiki/GRE">GRE</a> provides universal encapsulation on top of IP.</li>
  <li>It has a smaller header than UDP.</li>
  <li>GRE tunnels are processed in-kernel on *nix systems.</li>
  <li>It’s supported by hardware routers.</li>
</ul>

<h2 id="why-ipsec">Why IPsec?</h2>
<ul>
  <li>GRE provides no encryption and authentication of it’s own.</li>
  <li>IPsec in implemented in-kernel on FreeBSD and Linux with multithreaded encryption resulting in a lower latency than userspace VPN daemons using tun/tap interfaces.</li>
</ul>

<h2 id="problems-with-gre">Problems with GRE</h2>
<ul>
  <li>GRE is defined directly on top of IP.</li>
  <li>Broken NAPT implementations will stop GRE tunnels.</li>
</ul>

<h2 id="problems-with-ipsec">Problems with IPsec</h2>
<ul>
  <li>ESP is defined directly on top of IP.</li>
  <li>NAT support was added as an aftertought to IPsec.</li>
  <li>IKEv1 is too complex.</li>
  <li>Racoon has useless error messages.</li>
</ul>

<h2 id="requirements-for-sane-operation">Requirements for sane operation</h2>
<ul>
  <li>Identify your peers by X.509 certificates</li>
  <li>At least one peer should operate his own (Sub-)CA.</li>
</ul>

<h2 id="how-to-configure-a-gre-tunnel-on-freebsd">How to configure a GRE tunnel on FreeBSD</h2>
<p>See <a href="/howto/GRE-on-FreeBSD">GRE on FreeBSD</a>.</p>

<h2 id="how-to-configure-ipsec-on-freebsd">How to configure IPsec on FreeBSD</h2>
<p>See <a href="/howto/IPsec-on-FreeBSD">IPsec on FreeBSD</a>.</p>

<h2 id="how-to-configure-gre--ipsec-on-debian">How to configure GRE + IPsec on Debian</h2>
<p>See <a href="/howto/IPsecWithPublicKeys/GRE-plus-IPsec-Debian">GRE + IPsec on Debian</a>.</p>


            <div id="menu-container" class="menu-container">
                <hr>
                <div id="menu" class="menu">
                    
                    <ul>
  <li><a href="/Home">Home</a>
    <ul>
      <li><a href="/howto/Getting-Started">Getting Started</a></li>
      <li><a href="/howto/Registry-Authentication">Registry Authentication</a></li>
      <li><a href="/howto/Address-Space">Address Space</a></li>
      <li><a href="/howto/BGP-communities">BGP communities</a></li>
      <li><a href="/FAQ">FAQ</a></li>
    </ul>
  </li>
  <li>How-To
    <ul>
      <li><a href="/howto/wireguard">Wireguard</a></li>
      <li><a href="/howto/openvpn">Openvpn</a></li>
      <li><a href="/howto/IPsec-with-PublicKeys">IPsec With Public Keys</a></li>
      <li><a href="/howto/tinc">Tinc</a></li>
      <li><a href="/howto/GRE-on-FreeBSD">GRE on FreeBSD</a></li>
      <li><a href="/howto/GRE-on-OpenBSD">GRE on OpenBSD</a></li>
      <li><a href="/howto/IPv6-Multicast">IPv6 Multicast (PIM-SM)</a></li>
      <li><a href="/howto/multicast">SSM Multicast</a></li>
      <li><a href="/howto/mpls">MPLS</a></li>
      <li><a href="/howto/Bird2">Bird2</a></li>
      <li><a href="/howto/frr">FRRouting</a></li>
      <li><a href="/howto/OpenBGPD">OpenBGPD</a></li>
      <li><a href="/howto/mikrotik">Mikrotik RouterOS</a></li>
      <li><a href="/howto/EdgeOS-Config">EdgeRouter</a></li>
      <li><a href="/howto/Static-routes-on-Windows">Static routes on Windows</a></li>
      <li><a href="/howto/networksettings">Universal Network Requirements</a></li>
      <li><a href="/howto/vyos1.4.x">VyOS</a></li>
      <li><a href="/howto/nixos">NixOS</a></li>
    </ul>
  </li>
  <li>Services
    <ul>
      <li><a href="/services/IRC">IRC</a></li>
      <li><a href="/services/Whois">Whois registry</a></li>
      <li><a href="/services/DNS">DNS</a></li>
      <li><a href="/services/IX-Collection">IX Collection</a></li>
      <li><a href="/services/Clearnet-Domains">Public DNS</a></li>
      <li><a href="/services/Looking-Glasses">Looking Glasses</a></li>
      <li><a href="/services/Automatic-Peering">Automatic Peering</a></li>
      <li><a href="/services/Repository-Mirrors">Repository Mirrors</a></li>
      <li><a href="/services/Distributed-Wiki">Distributed Wiki</a></li>
      <li><a href="/services/Certificate-Authority">Certificate Authority</a></li>
      <li><a href="/services/Route-Collector">Route Collector</a></li>
    </ul>
  </li>
  <li>Internal
    <ul>
      <li><a href="/internal/Internal-Services">Internal services</a></li>
      <li><a href="/internal/Interconnections">Interconnections</a></li>
      <li><a href="/internal/APIs">APIs</a></li>
      <li><a href="/internal/ShowAndTell">Show and Tell</a></li>
      <li><a href="/internal/Historical-Services">Historical services</a></li>
    </ul>
  </li>
  <li>Historical
    <ul>
      <li><a href="/historical/Bird">Bird 1</a></li>
      <li><a href="/historical/Quagga">Quagga</a></li>
    </ul>
  </li>
  <li>External Tools
    <ul>
      <li><a href="https://paste.dn42.us">Paste Board</a></li>
      <li><a href="https://git.dn42.dev">Git Repositories</a></li>
    </ul>
  </li>
</ul>

<hr />


                </div>
            </div>
        </main>
        
        <footer><div class="center">
    <div id="dn42_footer">
        
        <table>
  <tbody>
    <tr>
      <td>Hosted by: <a href="mailto:dn42@burble.com">BURBLE-MNT</a>, <a href="mailto:nurtic-vibe@grmml.net">GRMML-MNT</a>, <a href="mailto:xuu@dn42.us">XUU-MNT</a>, <a href="mailto:janeric@ortgies.it">JAN-MNT</a>, <a href="mailto:lare@lare.cc">LARE-MNT</a>, <a href="mailto:danny@saru.moe">SARU-MNT</a>, <a href="mailto:androw95220@gmail.com">ANDROW-MNT</a>, <a href="mailto:dn42@mk16.de">MARK22K-MNT</a></td>
      <td>Accessible via: <a href="https://wiki.dn42">dn42</a>, <a href="https://dn42.dev/">dn42.dev</a>, <a href="https://dn42.eu/">dn42.eu</a>, <a href="https://wiki.dn42.us/">wiki.dn42.us</a>, <a href="https://dn42.de/">dn42.de</a> (IPv6-only), <a href="https://dn42.cc/">dn42.cc</a> (wiki-ng), <a href="https://dn42.wiki/">dn42.wiki</a>, <a href="https://dn42.pp.ua/">dn42.pp.ua</a>, <a href="https://dn42.obl.ong/">dn42.obl.ong</a></td>
    </tr>
  </tbody>
</table>

    </div>
</div>
</footer>

        
    </body>

</html>