GRE tunnel
From Nasqueron Agora
IPsec solutions
IPsec solutions: Racoon2, Libreswan and Strongswan.
1. Racoon2:
- Advantages
- Lightweight and easy to use with minimal CPU/RAM usage, compared to other solutions.
- Native on FreeBSD.
- Simple configuration for point-to-point.
- Disadvantages
- Project not actively maintained, last update was in 2020.
- Limited support for modern features (IKEv2, NAT traversal), configuration is possible but may be more complex than others solutions.
- Apple clients can have difficulty connecting because of the limitations of pfkeyv2 interface to the linux kernel that racoon2 uses.
- Harder to configure for complex setups.
Operational risk:
due to lack of maintenance Racoon2 presents:
- Security patch uncertainty
- Limited future protocol support
- Risk for long term deployments
2. Libreswan:
- Libreswan official website
- Forked from the original FreeS/WAN project.
- Advantages
- Actively maintained and stable on older hardware
- IRC community.
- Support NAT traversal, IKEv2 and enterprise VPN.
- Disadvantages
- Less native support on FreeBSD.
- heavier on ressource usage.
- might need kernel patches.
Suitable for :
- stable and conservative deployments
- compatibility with older systems
- Administrators familiar with FreeS/WAN style configuration
3. Strongswan:
- Strongswan official website
- Originally derived from FreeS/WAN but largely reimplemented.
- Advantages
- Actively maintained with an active community on IRC.
- Full support for IKEv2, EAP, PKI and Mobike
- Well documented with community support.
- Native of FreeBSD and Linux.
- Disadvantages
- More complex to configuration.
- Slightly heavier on ressources
Suitable for :
- Long term infrastructure.
- Modern cryptographic standards.
- FUll support of multiple protocols : IKev2, EAP, PKI, MOBIKE.
- Large or scalable deployments.
- Mixed FreeBSD/Linux environements.
- Summary:
- Racoon2: easier to configure for basic setups but it is a deprecated project
- Libreswan: stable and maintained but less native on FreeBSD, might need kernel patches.
- Strongswan: Most complete solution with good documentation and community supports, more protocols than other solutions but might be more complex to configure and is heavier than other solutions.
| Criteria | Racoon2 | Libreswan | StrongSwan |
|---|---|---|---|
| Project status | ❌ Not maintained | ✅ Active | ✅ Active |
| IKEv2 support | ⚠ Limited | ✅ Full | ✅ Full |
| NAT-T support | ⚠ Limited | ✅ Yes | ✅ Yes |
| FreeBSD integration | ✅ Native | ⚠ Partial | ✅ Native |
| Linux integration | ⚠ PF_KEY | ✅ XFRM | ✅ XFRM/VTI |
Technical consideration for GRE over IPsec
When securing a GRE tunnel, the following features are needed:
IKEv2 stability: Required for:
- Reliable rekying
- Better NAT handling
- Long term compatibility
Route-based VPN support Important when:
- Using GRE with dynamic routing (BGP/OSPF).
- Managing multiple tunnels.
- Automating configuration.
NAT traversal (NAT-T)
- Needed if peers are behind NAT.
Rekeying behavior: Implementation must:
- Avoid traffic interruption
- Handle DPD correctly
- Maintain tunnel stability
Official documentation
Linked to T2202
