gre-plus-ipsec-debian.md
... ...
@@ -17,6 +17,7 @@ Example policy on 1.2.3.4:
17 17
spdadd 1.2.3.4 5.6.7.8 gre -P out ipsec esp/transport//require;
18 18
spdadd 5.6.7.8 1.2.3.4 gre -P in ipsec esp/transport//require;
19 19
```
20
+Change the direction on 5.6.7.8.
20 21
21 22
## Load the IPsec security policy into the IPsec security policy database
22 23
Load the policy with the setkey command.
... ...
@@ -27,3 +28,46 @@ Afterward check the policy database with:
27 28
```
28 29
setkey -DP
29 30
```
31
+
32
+## Configure the racoon daemon
33
+```
34
+path pre_shared_key "/etc/racoon/psk.txt";
35
+path certificate "/etc/racoon/certs";
36
+log info;
37
+
38
+listen {
39
+ # replace with local tunnel endpoint
40
+ isakmp 1.2.3.4 [500];
41
+ isakmp_natt 1.2.3.4 [4500];
42
+}
43
+
44
+# replace with remote tunnel endpoint
45
+remote 5.6.7.8 [500] {
46
+ exchange_mode main;
47
+ proposal_check strict;
48
+ my_identifier asn1dn;
49
+ peers_identifier asn1dn;
50
+ lifetime time 1 hour;
51
+ certificate_type x509 "local.crt" "local.key";
52
+ peers_certfile x509 "remote.crt";
53
+ ca_type x509 "ca.crt";
54
+ verify_cert on;
55
+ send_cert off;
56
+ send_cr off;
57
+
58
+ proposal {
59
+ encryption_algorithm aes 256;
60
+ hash_algorithm sha256;
61
+ authentication_method rsasig;
62
+ dh_group modp4096;
63
+ }
64
+}
65
+
66
+# local tunnel endpoint, remote tunnel endpoint, GRE ip protocol number
67
+sainfo (address 1.2.3.4 address 5.6.7.8 47) {
68
+ pfs_group modp4096;
69
+ lifetime time 1 hour;
70
+ encryption_algorithm aes 256;
71
+ authentication_algorithm hmac_sha1;
72
+ compression_algorithm deflate;
73
+}
... ...
\ No newline at end of file