Conclusion
Although we've had a look at a basic GRE over IPsec setup with a split tunnel enabled, a few words on how to get out to the Public Net through the HQ.
- Turning on IPv4 forwarding
nano -w /etc/sysctl.confnet.ipv4.ip_forward=1sysctl -p- Defining filtering and translation rules
# Stateful rules
$ipt -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
#
# FORWARD
#
# GRE FWD
$ipt -A FORWARD -i $gre_iface -m state --state NEW -j ACCEPT
#
# NAT
#
# OB MASQUERADE
remote_peer_tu="10.254.254.253"
$ipt -t nat -A POSTROUTING -o $iface ! -p 47 -s $remote_peer_tu -j MASQUERADE- Checking
iptables -nvL
iptables -nvL -t nat- Tagging the traffic destined for the tunnel (IP >> Firewall >> Mangle) Here as an example we use FQDN null.somedomain.name and setting two tags: first - for the routing through GRE RT and second - for FastTrack bypass
- Turning on FastTrack bypass
- Tracing from client
tracert -d 8.8.8.8
Tracing route to 8.8.8.8 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 10.10.10.10
2 7 ms 2 ms 11 ms 58.162.26.204
3 1 ms 1 ms 1 ms 203.50.60.72
4 2 ms 2 ms 3 ms 203.50.61.144
5 2 ms 2 ms 1 ms 203.50.11.195
6 3 ms 2 ms 2 ms 142.250.162.28
7 2 ms 2 ms 2 ms 142.250.234.217
8 3 ms 3 ms 2 ms 216.239.59.109
9 2 ms 2 ms 1 ms 8.8.8.8
Trace complete.tracert -d null.somedomain.name
Tracing route to null.somedomain.name [45.32.236.11]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms 10.10.10.10
2 2 ms 2 ms 2 ms 10.254.254.254
3 * * * Request timed out.
4 2 ms 2 ms 2 ms 100.100.200.1
5 11 ms 10 ms 31 ms 10.91.0.1
6 2 ms 2 ms 2 ms 10.91.0.17
7 2 ms 2 ms 2 ms 10.91.0.1
8 80 ms 9 ms 7 ms 67.199.141.33
9 244 ms 244 ms 244 ms 141.136.106.174
10 * * * Request timed out.