In the realm of networking, establishing secure connections between different locations is vital, especially for businesses that require seamless internal communication. One popular method for creating such connections is through Generic Routing Encapsulation (GRE) tunnels. However, GRE alone doesn’t provide encryption, which makes it susceptible to eavesdropping. In this article, we will guide you through the process of configuring secure GRE tunnels on Linux servers using IPsec for encryption.

Understanding GRE Tunnels

GRE (Generic Routing Encapsulation) is a tunneling protocol that encapsulates various network layer protocols in point-to-point links. It is typically used to create a virtual point-to-point connection between remote sites over the Internet or a private network.

However, GRE tunnels do not encrypt the encapsulated data, which poses a security risk. To enhance the security of a GRE tunnel, we can use IPsec (Internet Protocol Security) for encryption and secure key exchange.

Prerequisites

Before starting the configuration, ensure you have:

  1. Two Linux servers running a supported distribution (CentOS, Ubuntu, etc.).

  2. Root access to both servers.

  3. Sufficient network connectivity between the two servers.

  4. Installed necessary packages (e.g., iproute2, strongSwan for Ubuntu, or libreswan for CentOS).

Step 1: Install Required Packages

On Ubuntu:

sudo apt update

sudo apt install strongswan iproute2

On CentOS:

sudo yum install libreswan iproute

Step 2: Configure the IPsec (StrongSwan or Libreswan)

Server 1 Configuration (e.g., 192.168.1.1)

Edit the IPsec configuration file:

sudo nano /etc/ipsec.conf

Add the following configuration (replace with your IP addresses and credentials):

config setup

    charonstart=yes

    plutostart=no



conn gre-tunnel

    authby=secret

    pfs=no

    auto=start

    keyexchange=ikev2

    ike=aes128-sha256-modp2048!

    esp=aes128-sha256-modp2048!

    left=192.168.1.1

    leftsubnet=0.0.0.0/0

    right=192.168.2.1

    rightsubnet=0.0.0.0/0

Server 2 Configuration (e.g., 192.168.2.1)

Similarly, on Server 2, edit the IPsec configuration:

sudo nano /etc/ipsec.conf

Add the corresponding settings:

config setup

    charonstart=yes

    plutostart=no



conn gre-tunnel

    authby=secret

    pfs=no

    auto=start

    keyexchange=ikev2

    ike=aes128-sha256-modp2048!

    esp=aes128-sha256-modp2048!

    left=192.168.2.1

    leftsubnet=0.0.0.0/0

    right=192.168.1.1

    rightsubnet=0.0.0.0/0

Step 3: Configure IPsec Secrets

On both servers, edit the IPsec secrets file:

sudo nano /etc/ipsec.secrets

Add the following line (replace "your_secret" with a secure shared secret):

192.168.1.1 192.168.2.1 : PSK "your_secret"

Step 4: Create the GRE Tunnel

On Server 1

Execute the following commands to create the GRE tunnel:

sudo ip tunnel add gre1 mode gre remote 192.168.2.1 local 192.168.1.1 ttl 255

sudo ip addr add 10.0.0.1/30 dev gre1

sudo ip link set gre1 up

On Server 2

Run similar commands to create the GRE tunnel:

sudo ip tunnel add gre1 mode gre remote 192.168.1.1 local 192.168.2.1 ttl 255

sudo ip addr add 10.0.0.2/30 dev gre1

sudo ip link set gre1 up

Step 5: Enable IP Forwarding

To allow the servers to forward traffic, enable IP forwarding on both servers by modifying the sysctl settings:

echo "net.ipv4.ip_forward = 1" | sudo tee -a /etc/sysctl.conf

sudo sysctl -p

Step 6: Start IPsec

On both servers, start the IPsec service:

On Ubuntu:

sudo systemctl restart strongswan

On CentOS:

sudo systemctl restart ipsec

Step 7: Verify the Connection

To check if the GRE tunnel is up and running, use the following command:

ip a show gre1

You can also check the IPsec status:

On Ubuntu:

sudo ipsec statusall

On CentOS:

sudo ipsec verify

Conclusion

You have successfully configured a secure GRE tunnel between two Linux servers using IPsec for encryption. By wrapping GRE in IPsec, we have ensured that the data traversing this tunnel is encrypted and secure from potential threats.

Utilizing secure GRE tunnels is essential for organizations that handle sensitive information across remote sites. Always remember to regularly review your security policies, keys, and configurations to ensure your network remains secure.

For further inquiries or assistance, feel free to reach out to WafaTech or consult the documentation of your respective Linux distribution. Happy tunneling!