IPSEC ( GRE tunnel) Cisco + Debian 8 racoon

2.2.2.0/24 ####Cisco#### 10.66.66.1/30 <--------> 10.66.66.2/30####Debina8#####3.3.3.0/24
                                       10.0.0.1<---------GRE--------->10.0.0.2

#########################################################
### Cisco ###
!
crypto isakmp policy 5
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key test address 10.66.66.2
!
!
crypto ipsec transform-set tunnel esp-3des esp-sha-hmac
!
crypto ipsec profile VPN
 set transform-set tunnel
 set pfs group2
!
!
!
interface Loopback1
 ip address 2.2.2.1 255.255.255.0
!
interface Tunnel1
 ip address 10.0.0.1 255.255.255.0
 tunnel source 10.66.66.1
 tunnel destination 10.66.66.2
 tunnel protection ipsec profile VPN
!
interface FastEthernet0/0
 ip address 10.66.66.1 255.255.255.0
 ip access-group 100 in
 ip access-group 101 out
 duplex auto
 speed auto
!
ip route 3.3.3.0 255.255.255.0 10.0.0.2
!
!
!
access-list 100 permit gre host 10.66.66.2 host 10.66.66.1
access-list 100 permit esp host 10.66.66.2 host 10.66.66.1
access-list 100 permit ahp host 10.66.66.2 host 10.66.66.1
access-list 100 permit udp host 10.66.66.2 host 10.66.66.1eq isakmp
access-list 100 deny   ip any any
access-list 101 permit gre host 10.66.66.1host 10.66.66.2 
access-list 101 permit esp host 10.66.66.1host 10.66.66.2 
access-list 101 permit ahp host 10.66.66.1host 10.66.66.2 
access-list 101 permit udp host 10.66.66.1host 10.66.66.2 eq isakmp
access-list 101 deny   ip any any

!

##############################################

### Debian8 ###

modprobe gre

ip tunnel add tun1 mode gre remote 10.66.66.1 local 10.66.66.2

ifconfig tun1 10.0.0.2 pointopoint 10.0.0.1 up

или

auto tun1

iface tun1 inet tunnel
        address 10.0.0.2
        netmask 255.255.255.252
        dstaddr 10.0.0.1
        local 10.66.66.2
        endpoint 10.66.66.1
        mode gre

root@debian:/home/tuhvatov# ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:a6:d5:e4 brd ff:ff:ff:ff:ff:ff

    inet 10.66.66.2/24 brd 10.66.66.255 scope global eth0

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fea6:d5e4/64 scope link

       valid_lft forever preferred_lft forever

3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000

    link/ether 08:00:27:6c:0e:82 brd ff:ff:ff:ff:ff:ff

    inet 192.168.205.230/23 brd 192.168.205.255 scope global eth1

       valid_lft forever preferred_lft forever

    inet 3.3.3.1/24 scope global eth1

       valid_lft forever preferred_lft forever

    inet6 fe80::a00:27ff:fe6c:e82/64 scope link

       valid_lft forever preferred_lft forever

4: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default

    link/gre 0.0.0.0 brd 0.0.0.0

5: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000

    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

6: tun1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN group default

    link/gre 10.66.66.2 peer 10.66.66.1

    inet 10.0.0.2 peer 10.0.0.1/32 scope global tun1

       valid_lft forever preferred_lft forever

    inet6 fe80::5efe:a42:4202/64 scope link

       valid_lft forever preferred_lft forever

/etc/racoon/racoon.conf

remote 10.66.66.1 {

        exchange_mode main,aggressive;

        lifetime time 28800 sec;

        proposal {

                encryption_algorithm 3des;

                hash_algorithm sha1;

                authentication_method pre_shared_key;

                dh_group 2;

        }

}

sainfo address 10.66.66.2/32 47 address 10.66.66.1/32 47 {

        pfs_group 2;

        lifetime time 3600 sec;

        encryption_algorithm 3des;

        authentication_algorithm hmac_sha1;

        compression_algorithm deflate ;

}

/etc/ipsec-tools.conf

flush;

spdflush;

spdadd 10.66.66.2/32 10.66.66.1/32 47 -P out ipsec

           esp/tunnel/10.66.66.2-10.66.66.1/require;

spdadd 10.66.66.1/32 10.66.66.2/32 47 -P in ipsec

           esp/tunnel/10.66.66.1-10.66.66.2/require;

iptables -P INPUT     DROP

iptables -P FORWARD   DROP
iptables -P OUTPUT    ACCEPT
iptables -t filter -A INPUT -i tun1 -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p gre -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p esp -j ACCEPT
iptables -t filter -A INPUT -s 10.66.66.1/32 -d 10.66.66.2/32 -i eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT

https://www.altlinux.org/VPN_c_%D0%B4%D0%B8%D0%BD%D0%B0%D0%BC%D0%B8%D1%87%D0%B5%D1%81%D0%BA%D0%BE%D0%B9_%D0%BC%D0%B0%D1%80%D1%88%D1%80%D1%83%D1%82%D0%B8%D0%B7%D0%B0%D1%86%D0%B8%D0%B5%D0%B9_(GRE_Racoon_OSPF)

http://www.rhd.ru/docs/manuals/enterprise/RHEL-4-Manual/security-guide/s1-ipsec-host2host.html

ipsec+gre+tunnel+ospf

###############  R1 ################

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key TUN1_adasdsdgdjhgjdhfjdhj address 11.11.11.11
crypto isakmp key TUN2_adasdsdgdjhgjdhfjdhj address 22.22.22.22
!
!
crypto ipsec transform-set AES256-MD5 esp-aes 256 esp-md5-hmac
!
crypto ipsec profile TUN-AES256
 set transform-set AES256-MD5
!
!
!
!
!
!
interface Tunnel1
 ip address 10.0.1.1 255.255.255.252
 tunnel source 1.1.1.1
 tunnel destination 11.11.11.11
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TUN-AES256
!
interface Tunnel2
 ip address 10.0.2.1 255.255.255.252
 tunnel source 2.2.2.2
 tunnel destination 22.22.22.22
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TUN-AES256
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface GigabitEthernet1/0
 ip address 1.1.1.1 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 2.2.2.2 255.255.255.0
 negotiation auto
!
interface FastEthernet3/0
 ip address 10.2.200.5 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet3/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router ospf 10
 log-adjacency-changes
 network 10.0.0.0 0.0.255.255 area 0
 network 10.2.200.4 0.0.0.3 area 0
!
ip route 11.11.11.11 255.255.255.255 GigabitEthernet1/0
ip route 22.22.22.22 255.255.255.255 GigabitEthernet2/0
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end

###############  R2 ################

!


!
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr aes 256
 hash md5
 authentication pre-share
 group 2
crypto isakmp key TUN1_adasdsdgdjhgjdhfjdhj address 1.1.1.1
crypto isakmp key TUN2_adasdsdgdjhgjdhfjdhj address 2.2.2.2
!
!
crypto ipsec transform-set AES256-MD5 esp-aes 256 esp-md5-hmac
!
crypto ipsec profile TUN-AES256
 set transform-set AES256-MD5
!
!
!
!
!
!
interface Tunnel1
 ip address 10.0.1.2 255.255.255.252
 tunnel source 11.11.11.11
 tunnel destination 1.1.1.1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TUN-AES256
!
interface Tunnel2
 ip address 10.0.2.2 255.255.255.252
 tunnel source 22.22.22.22
 tunnel destination 2.2.2.2
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile TUN-AES256
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface GigabitEthernet1/0
 ip address 11.11.11.11 255.255.255.0
 negotiation auto
 crypto map TO_MEGAFON
!
interface GigabitEthernet2/0
 ip address 22.22.22.22 255.255.255.0
 negotiation auto
 crypto map TO_MEGAFON
!
interface FastEthernet3/0
 ip address 1.1.36.2 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet3/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
router ospf 10
 log-adjacency-changes
 redistribute static
 network 10.0.0.0 0.0.255.255 area 0
!
ip route 1.1.1.1 255.255.255.255 GigabitEthernet1/0
ip route 2.2.2.2 255.255.255.255 GigabitEthernet2/0
ip route 192.168.4.0 255.255.255.0 FastEthernet3/0
no ip http server
no ip http secure-server
!
!
!
ip access-list extended SECURED-TUN_1
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end


###############  R3 ################

!


!

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface GigabitEthernet1/0
 ip address 1.1.1.2 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 11.11.11.12 255.255.255.0
 negotiation auto
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!
end
 
###############  R4 ################

!



!

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R4
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface GigabitEthernet1/0
 ip address 22.22.22.23 255.255.255.0
 negotiation auto
!
interface GigabitEthernet2/0
 ip address 2.2.2.3 255.255.255.0
 negotiation auto
!
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!
end


###############  R6 ################

!


!

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 ip address 2.2.2.1 255.255.255.252
 duplex auto
 speed auto
!
ip http server
no ip http secure-server
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 login
!
!
end
 
###############  R7 ################     

!


!

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R7
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 ip address 1.1.36.1 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/1
 ip address 192.168.4.1 255.255.255.0
 duplex auto
 speed auto
!
ip route 10.2.200.4 255.255.255.252 FastEthernet1/0
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login
!
!
end
 
###############  R10 ################    

!


!

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet1/0
 ip address 192.168.4.21 255.255.255.0
 duplex auto
 speed auto
!
interface FastEthernet1/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 FastEthernet1/0
no ip http server
no ip http secure-server
!
!
!
logging alarm informational
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 stopbits 1
line aux 0
line vty 0 4
!
!
end