Setting up a GRE (Generic Routing Encapsulation) tunnel with IPSec encryption on Linux involves several steps. GRE is used to encapsulate packets and transmit them between two endpoints, while IPSec provides security (encryption and integrity). Below is a step-by-step guide on how to configure a GRE tunnel with IPSec.
Prerequisites:
• Two Linux servers (we’ll call them Server A and Server B).
• Root (or sudo) access on both servers.
• Basic networking tools like iproute2 (ip command), ipsec (for IPSec configuration), and iptables (if needed).
• IPSec tools installed, like strongSwan or Openswan.
In this example:
• Server A IP: 192.168.1.1
• Server B IP: 192.168.2.1
• GRE tunnel IPs (local network): 10.0.0.1 on Server A and 10.0.0.2 on Server B.
- Install Required Packages
Install the necessary packages for GRE and IPSec. Both servers need to have iproute2, and either strongSwan or Openswan for IPSec.
On both servers:
sudo apt-get update
sudo apt-get install iproute2 strongswan2. Configure GRE Tunnel
On Server A:
# Create the GRE tunnel
sudo ip tunnel add gre1 mode gre remote 192.168.2.1 local 192.168.1.1 ttl 255
# Set the IP address for the tunnel interface
sudo ip addr add 10.0.0.1/30 dev gre1
# Bring up the GRE interface
sudo ip link set gre1 upOn Server B:
# Create the GRE tunnel
sudo ip tunnel add gre1 mode gre remote 192.168.1.1 local 192.168.2.1 ttl 255
# Set the IP address for the tunnel interface
sudo ip addr add 10.0.0.2/30 dev gre1
# Bring up the GRE interface
sudo ip link set gre1 up3. Verify GRE Tunnel
At this point, you should be able to ping between the two tunnel endpoints without encryption.
From Server A:
ping 10.0.0.2From Server B:
ping 10.0.0.1If the ping works, the GRE tunnel is correctly established.
4. Configure IPSec for GRE Encryption
Create IPSec Configuration Files on Both Servers:
The IPSec configuration is typically stored in /etc/ipsec.conf for strongSwan. Modify this file on both servers to set up IPSec.
On Server A:
Edit /etc/ipsec.conf:
config setup
charondebug="ike 2, knl 2, cfg 2"
conn gre-tunnel
left=192.168.1.1 # Server A public IP
right=192.168.2.1 # Server B public IP
leftsubnet=10.0.0.1/32 # Tunnel IP on Server A
rightsubnet=10.0.0.2/32 # Tunnel IP on Server B
ike=aes128-sha1-modp1024 # Encryption algorithms for IKE
esp=aes128-sha1 # Encryption algorithms for ESP
keyexchange=ikev2 # IKEv2
auto=start # Automatically start connectionOn Server B:
Edit /etc/ipsec.conf:
config setup
charondebug="ike 2, knl 2, cfg 2"
conn gre-tunnel
left=192.168.2.1 # Server B public IP
right=192.168.1.1 # Server A public IP
leftsubnet=10.0.0.2/32 # Tunnel IP on Server B
rightsubnet=10.0.0.1/32 # Tunnel IP on Server A
ike=aes128-sha1-modp1024 # Encryption algorithms for IKE
esp=aes128-sha1 # Encryption algorithms for ESP
keyexchange=ikev2 # IKEv2
auto=start # Automatically start connectionConfigure Authentication (Shared Key)
Edit /etc/ipsec.secrets to define a pre-shared key on both servers.
On both Server A and Server B:
192.168.1.1 192.168.2.1 : PSK "YourStrongPSK"5. Start IPSec
On both servers, start the ipsec service:
sudo systemctl restart strongswanTo ensure the IPSec tunnel is established, run:
sudo ipsec statusYou should see that the GRE tunnel traffic is now encrypted using IPSec.
6. Verify IPSec Encryption
Once IPSec is running, try to ping through the GRE tunnel again:
From Server A:
ping 10.0.0.2
From Server B:
ping 10.0.0.1
If everything is set up correctly, the pings should work, and the GRE traffic is now secured via IPSec encryption.
Optional: Using iptables for Policy Matching
You can use iptables to further secure GRE traffic or allow specific policies through the firewall:
# Allow GRE protocol through the firewall
sudo iptables -A INPUT -p gre -j ACCEPT
sudo iptables -A OUTPUT -p gre -j ACCEPTSummary:
• GRE encapsulates the packets, allowing traffic to flow between the two private subnets.
• IPSec encrypts the GRE tunnel, providing security and integrity for the traffic between the two servers.
