GRE tunnel: Difference between revisions
From Nasqueron Agora
No edit summary |
|||
| Line 4: | Line 4: | ||
'''1. Racoon2:''' | '''1. Racoon2:''' | ||
*[https://github.com/zoulasc/racoon2/ Racoon2 official repo] | |||
;Advantages : | ;Advantages : | ||
* Lightweight and easy to use with minimal CPU/RAM usage, compared to other solutions. | * Lightweight and easy to use with minimal CPU/RAM usage, compared to other solutions. | ||
| Line 14: | Line 17: | ||
* Apple clients can have difficulty connecting because of the limitations of pfkeyv2 interface to the linux kernel that racoon2 uses. | * Apple clients can have difficulty connecting because of the limitations of pfkeyv2 interface to the linux kernel that racoon2 uses. | ||
* Harder to configure for complex setups. | * Harder to configure for complex setups. | ||
Operational risk: | |||
due to lack of maintenance Racoon2 presents: | |||
* Security patch uncertainty | |||
* Limited future protocol support | |||
* Risk for long term deployments | |||
'''2. Libreswan:''' | '''2. Libreswan:''' | ||
*[https://libreswan.org/ Libreswan official website] | |||
*Forked from the original FreeS/WAN project. | |||
;Advantages: | ;Advantages: | ||
* Actively maintained and stable on older hardware | * Actively maintained and stable on older hardware | ||
| Line 25: | Line 39: | ||
* heavier on ressource usage. | * heavier on ressource usage. | ||
* might need kernel patches. | * might need kernel patches. | ||
Suitable for : | |||
* stable and conservative deployments | |||
* compatibility with older systems | |||
* Administrators familiar with FreeS/WAN style configuration | |||
'''3. Strongswan:''' | '''3. Strongswan:''' | ||
*[https://strongswan.org/ Strongswan official website] | |||
*Originally derived from FreeS/WAN but largely reimplemented. | |||
;Advantages: | ;Advantages: | ||
| Line 36: | Line 60: | ||
;Disadvantages: | ;Disadvantages: | ||
* More complex to | * More complex to configuration. | ||
* Slightly heavier on ressources | * Slightly heavier on ressources | ||
Suitable for : | |||
* Long term infrastructure. | |||
* Modern cryptographic standards. | |||
* FUll support of multiple protocols : IKev2, EAP, PKI, MOBIKE. | |||
* Large or scalable deployments. | |||
* Mixed FreeBSD/Linux environements. | |||
#'''Summary:''' | #'''Summary:''' | ||
| Line 45: | Line 77: | ||
*'''Strongswan''': Most complete solution with good documentation and community supports, more protocols than other solutions but might be more complex to configure and is heavier than other solutions. | *'''Strongswan''': Most complete solution with good documentation and community supports, more protocols than other solutions but might be more complex to configure and is heavier than other solutions. | ||
{| class="wikitable" | |||
|+ IPsec Solutions Overview | |||
! Criteria | |||
! Racoon2 | |||
! Libreswan | |||
! StrongSwan | |||
|- | |||
| Project status | |||
| ❌ Not maintained | |||
| ✅ Active | |||
| ✅ Active | |||
|- | |||
| IKEv2 support | |||
| ⚠ Limited | |||
| ✅ Full | |||
| ✅ Full | |||
|- | |||
| NAT-T support | |||
| ⚠ Limited | |||
| ✅ Yes | |||
| ✅ Yes | |||
|- | |||
| FreeBSD integration | |||
| ✅ Native | |||
| ⚠ Partial | |||
| ✅ Native | |||
|- | |||
| Linux integration | |||
| ⚠ PF_KEY | |||
| ✅ XFRM | |||
| ✅ XFRM/VTI | |||
|} | |||
== Technical consideration for GRE over IPsec == | |||
When securing a GRE tunnel, the following features are needed: | |||
IKEv2 stability: | |||
Required for: | |||
* Reliable rekying | |||
* Better NAT handling | |||
* Long term compatibility | |||
Route-based VPN support | |||
Important when: | |||
* Using GRE with dynamic routing (BGP/OSPF). | |||
* Managing multiple tunnels. | |||
* Automating configuration. | |||
NAT traversal (NAT-T) | |||
* Needed if peers are behind NAT. | |||
Rekeying behavior: | |||
Implementation must: | |||
* Avoid traffic interruption | |||
* Handle DPD correctly | |||
* Maintain tunnel stability | |||
==== Official documentation ==== | ==== Official documentation ==== | ||
*[https://docs.strongswan.org/docs/latest/index.html/ StronSgwan doc] | *[https://docs.strongswan.org/docs/latest/index.html/ StronSgwan doc] | ||
Revision as of 10:24, 13 February 2026
IPsec solutions
IPsec solutions: Racoon2, Libreswan and Strongswan.
1. Racoon2:
- Advantages
- Lightweight and easy to use with minimal CPU/RAM usage, compared to other solutions.
- Native on FreeBSD.
- Simple configuration for point-to-point.
- Disadvantages
- Project not actively maintained, last update was in 2020.
- Limited support for modern features (IKEv2, NAT traversal), configuration is possible but may be more complex than others solutions.
- Apple clients can have difficulty connecting because of the limitations of pfkeyv2 interface to the linux kernel that racoon2 uses.
- Harder to configure for complex setups.
Operational risk:
due to lack of maintenance Racoon2 presents:
- Security patch uncertainty
- Limited future protocol support
- Risk for long term deployments
2. Libreswan:
- Libreswan official website
- Forked from the original FreeS/WAN project.
- Advantages
- Actively maintained and stable on older hardware
- IRC community.
- Support NAT traversal, IKEv2 and enterprise VPN.
- Disadvantages
- Less native support on FreeBSD.
- heavier on ressource usage.
- might need kernel patches.
Suitable for :
- stable and conservative deployments
- compatibility with older systems
- Administrators familiar with FreeS/WAN style configuration
3. Strongswan:
- Strongswan official website
- Originally derived from FreeS/WAN but largely reimplemented.
- Advantages
- Actively maintained with an active community on IRC.
- Full support for IKEv2, EAP, PKI and Mobike
- Well documented with community support.
- Native of FreeBSD and Linux.
- Disadvantages
- More complex to configuration.
- Slightly heavier on ressources
Suitable for :
- Long term infrastructure.
- Modern cryptographic standards.
- FUll support of multiple protocols : IKev2, EAP, PKI, MOBIKE.
- Large or scalable deployments.
- Mixed FreeBSD/Linux environements.
- Summary:
- Racoon2: easier to configure for basic setups but it is a deprecated project
- Libreswan: stable and maintained but less native on FreeBSD, might need kernel patches.
- Strongswan: Most complete solution with good documentation and community supports, more protocols than other solutions but might be more complex to configure and is heavier than other solutions.
| Criteria | Racoon2 | Libreswan | StrongSwan |
|---|---|---|---|
| Project status | ❌ Not maintained | ✅ Active | ✅ Active |
| IKEv2 support | ⚠ Limited | ✅ Full | ✅ Full |
| NAT-T support | ⚠ Limited | ✅ Yes | ✅ Yes |
| FreeBSD integration | ✅ Native | ⚠ Partial | ✅ Native |
| Linux integration | ⚠ PF_KEY | ✅ XFRM | ✅ XFRM/VTI |
Technical consideration for GRE over IPsec
When securing a GRE tunnel, the following features are needed:
IKEv2 stability: Required for:
- Reliable rekying
- Better NAT handling
- Long term compatibility
Route-based VPN support Important when:
- Using GRE with dynamic routing (BGP/OSPF).
- Managing multiple tunnels.
- Automating configuration.
NAT traversal (NAT-T)
- Needed if peers are behind NAT.
Rekeying behavior: Implementation must:
- Avoid traffic interruption
- Handle DPD correctly
- Maintain tunnel stability
Official documentation
Linked to T2202
