How to setup GRE over IPSEC between two Centos 6 machine
Written by BiRU Sunday, 23 October 2016 06:52
I had recently got chance to implement GRE over IPSEC, Let us consider following as test environment.
Site A(Centos 6) :-
IP – 192.168.122.66
Ipsec subnet – 10.30.0.0 / 20
Site B(Centos 6) :-
IP – 192.168.122.71
Subnet – 10.2.226.0/23
After installing ipsec on both sides, I have configured Ipsec as follows :-
Site A :-
1 . vi /etc/ipsec.conf
conn test
auto=start #any reboot causes immediate renegotiation
type=tunnel #transport mode ipsec
authby=secret
ike=3des-sha1-modp1024 #phase 1 aka isakmp sa
ikelifetime=8h #phase 1 sa lifetime
esp=3des-sha1 #phase 2 aka ipsec sa
keylife=1h #phase 2 sa lifetime
pfs=yes
###our gateway
left=192.168.122.66
leftsubnet=10.30.0.0/20
leftnexthop=192.168.122.1
leftprotoport=gre #match the GRE traffic, this line is very important
###remote peer
right=192.168.122.71 #Other side main
rightsubnet=10.2.226.0/23 #Subnet
rightnexthop=%defaultroute
rightprotoport=gre #match the GRE traffic
2. vi /etc/ipsec.secerts
192.168.122.66 192.168.122.71 : PSK “test”
3. Now you can choose one IP from subnet 10.30.0.0/20 and it will be site A GRE outer IP. I selected 10.30.0.1 and configured GRE like below:-
vi /etc/sysconfig/network-scripts/ifcfg-mygre1
DEVICE=mygre1
BOOTPROTO=none
ONBOOT=yes
TYPE=GRE
MY_OUTER_IPADDR=10.30.0.1
PEER_OUTER_IPADDR=10.2.226.1
MY_INNER_IPADDR=10.200.52.141
PEER_INNER_IPADDR=10.200.52.142
That’s all on site A , Now you need to configure Site B with same steps.
Site B :-
1 . vi /etc/ipsec.conf
conn test
auto=start #any reboot causes immediate renegotiation
type=tunnel #transport mode ipsec
authby=secret
ike=3des-sha1-modp1024 #phase 1 aka isakmp sa
ikelifetime=8h #phase 1 sa lifetime
esp=3des-sha1 #phase 2 aka ipsec sa
keylife=1h #phase 2 sa lifetime
pfs=yes
###our gateway
left=192.168.122.71
leftsubnet=10.2.226.0/23
leftnexthop=192.168.122.1
leftprotoport=gre #match the GRE traffic, this line is very important
###remote peer
right=192.168.122.66 #Other side main
rightsubnet= 10.30.0.0/20#Subnet
rightnexthop=%defaultroute
rightprotoport=gre #match the GRE traffic
2. vi /etc/ipsec.secerts
192.168.122.71 192.168.122.66 : PSK “test”
3. Now you can choose one IP from subnet 10.2.226.0/23 and it will be site B GRE outer IP. I selected 10.2.226.1 and configured GRE like below:-
vi /etc/sysconfig/network-scripts/ifcfg-mygre1
DEVICE=mygre1
BOOTPROTO=none
ONBOOT=yes
TYPE=GRE
MY_OUTER_IPADDR=10.2.226.1
PEER_OUTER_IPADDR=10.30.0.1
MY_INNER_IPADDR=10.200.52.142
PEER_INNER_IPADDR=10.200.52.141
Now you can test VPN connection with ping and do tcpdump on other end, you can see IKE pre-shared key in vpn, I pinged from site A to 10.200.52.142 and ran tcpdump on site B.
tcpdump -i eth0 -nn host 192.168.122.66
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
23:36:43.772311 IP 192.168.122.66 > 192.168.122.71: ESP(spi=0xf0548a51,seq=0×14), length 140
23:36:43.772408 IP 192.168.122.71 > 192.168.122.66: ESP(spi=0x31e04035,seq=0×7), length 140
23:36:44.772295 IP 192.168.122.66 > 192.168.122.71: ESP(spi=0xf0548a51,seq=0×15), length 140