GRE over IPsec

Example +--+                                   +--+     |          |                                    |          | eth0|          |eth1                            eth0|          |eth1 -+ router-A +- INTERNET + router-B +- |         |                                    |          |     |          |                                    |          |     ++-+                                    ++-+          |                                               |          |lo0                                            |lo0

router-A

=
interfaces { ethernet eth0 { address "172.16.117.128/24" hw-id: 00:0c:29:b0:1d:bb }   ethernet eth1 { address "192.168.249.128/24" hw-id: 00:0c:29:b0:1d:d9 }   loopback lo { address "9.0.0.1/24" }   tunnel tun0 { address "7.0.0.1/24" encapsulation: "gre" local-ip: 9.0.0.1 remote-ip: 11.0.0.1 } } protocols { ospf { area 0 { network 172.16.117.0/24 network 7.0.0.0/24 }       log-adjacency-changes { }       parameters { router-id: 9.0.0.1 }       redistribute { connected { }       }    }    static { route 172.16.139.0/24 { next-hop 192.168.249.150 { }       }    } } vpn { ipsec { esp-group foo { proposal 1 { }       }        ike-group foo { proposal 1 { }       }        ipsec-interfaces { interface "eth1" }       logging { facility: daemon level: info }       site-to-site { peer 172.16.139.160 { authentication { pre-shared-secret: "testing123" }               ike-group: "foo" local-ip: 192.168.249.128 tunnel 1 { esp-group: "foo" local-subnet: 9.0.0.0/24 remote-subnet: 11.0.0.0/24 }           }        }    } }

router-B

=
interfaces { ethernet eth0 { address "172.16.139.160/24" hw-id: 00:0c:29:df:17:97 }   ethernet eth1 { address "192.168.74.160/24" hw-id: 00:0c:29:df:17:a1 }   loopback lo { address "11.0.0.1/24" }   tunnel tun0 { address "7.0.0.2/24" encapsulation: "gre" local-ip: 11.0.0.1 remote-ip: 9.0.0.1 } } protocols { ospf { area 0 { network 192.168.74.0/24 network 7.0.0.0/24 }       log-adjacency-changes { }       parameters { router-id: 11.0.0.1 }       redistribute { connected { }       }    }    static { route 192.168.249.0/24 { next-hop 172.16.139.150 { }       }    } } vpn { ipsec { esp-group foo { proposal 1 { }       }        ike-group foo { proposal 1 { }       }        ipsec-interfaces { interface "eth0" }       site-to-site { peer 192.168.249.128 { authentication { pre-shared-secret: "testing123" }               ike-group: "foo" local-ip: 172.16.139.160 tunnel 1 { esp-group: "foo" local-subnet: 11.0.0.0/24 remote-subnet: 9.0.0.0/24 }           }        }    } }