Generic Router Encapsulation (GRE) Tunnel
The word generic has significant consequences; the relevant and ancillary RFCs are RFC 2784, RFC 1701, RFC 1702, RFC 2890, and RFC 3147. According to the RFC 2784, generic specifies "a protocol for encapsulation of an arbitrary network layer protocol over another arbitrary network layer protocol." In a general case, the actual payload packet is first encapsulated in a GRE packet, which can be encapsulated further in an arbitrary forwarding network layer protocol for regular delivery. Cisco IOS architecture provides a tunnel identification key that provides some weak security against malicious packet injection. GRE uses protocol number 47. Configure your filters/firewalls accordingly. Table 11-2 lists an overview of the special tunnel-related interfaces on BSD platforms. As you will see, this works differently on Linux (tunl0/TUNNEL, gre0/GRE).
Interface | OpenBSD | FreeBSD | Description |
---|---|---|---|
tun | X | X | Tunnel network interface (also used by gre-tun) |
enc | X | IPSec encapsulating interface | |
gre | X | GRE/Mobile-IP encapsulation interface | |
gif | X | X | Generic IPv4/IPv6 tunnel interface |
faith | X | X | IPv6 and IPv4 translation |
stf | X | 6to4 over IPv4 encapsulation |
Lab 11-3: GRE Tunnel OpenBSD-to-Cisco
Example 11-5 demonstrates the GRE tunnel setup without special features. Remember, tunnel mode gre ip is the default setting of Cisco IOS architecture.
Example 11-5. GRE Tunnel OpenBSD-to-Cisco IOS Architecture
[root@europa:~#] ifconfig gre0 tunnel 192.168.14.3 192.168.14.254 up [root@europa:~#] ifconfig gre0 10.2.2.1 10.2.2.2 netmask 255.255.255.252 up [root@europa:~#] route add –host 10.0.0.1 10.2.2.2 scar# show running-config ... interface Tunnel0 ip address 10.2.2.2 255.255.255.252 tunnel source Ethernet1 tunnel destination 192.168.14.3 ! ip route 10.0.0.2 255.255.255.255 Tunnel0 ...
Lab 11-4: GRE Tunnel Linux-to-FreeBSD (Featuring gre-tun)
This lab uses the gre-tun package from http://mike.spottydogs.org/projects/gre-tun/ to show an alternative GRE setup for FreeBSD. Example 11-6 presents the Linux tunnel endpoint, and Example 11-7 shows the gre-tun configuration at the FreeBSD endpoint. The highlighted text in Example 11-6 emphasizes the default Linux MTU setting for GRE tunnels.
Example 11-6. Linux GRE Configuration
[root@callisto:~#] insmod ip_gre [root@callisto:~#] iptunnel add GRE mode gre remote 192.168.2.7 local 192.168.1.1 ttl 255 [root@callisto:~#] ifconfig GRE 10.1.1.1 netmask 255.255.255.252 pointopoint 10.1.1.2 [root@callisto:~#] route add –net 192.168.7.0/24 gw 192.168.1.254 dev GRE [root@callisto:~#] ifconfig -a GRE Link encap:UNSPEC HWaddr C0-A8-01-01-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.1.1.1 P-t-P:10.1.1.2 Mask:255.255.255.252 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) gre0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:1476 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Example 11-7. FreeBSD gre-tun Configuration
[root@castor:~#] gre-tun –tunnel /dev/tun0 –local 192.168.2.7 –remote 192.168.1.1 –source 10.1.1.2 –destination 10.1.1.1 –netmask 255.255.255.252 [root@castor:~#] route add -net 192.168.14.0/24 10.1.1.1
Lab 11-5: Linux-to-Cisco GRE Tunnel
Finally, look at a Linux-to-Cisco combination (Example 11-8). Linux GRE defaults to inherit the carrier GRE packet TTL from the payload packet. Cisco IOS architecture is picky about it, and hence the ttl 255 parameter added (highlighted text).
Example 11-8. Linux-to-Cisco GRE Tunnel Setup
[root@callisto:~#] insmod ip_gre [root@callisto:~#] iptunnel add GRE mode gre remote 192.168.2.254 local 192.168.14.1 ttl 255 [root@callisto:~#] ifconfig GRE 10.2.2.1 netmask 255.255.255.252 pointopoint 10.2.2.2 [root@callisto:~#] route add –host 10.0.0.1 dev GRE [root@callisto:~#] ifconfig -a GRE Link encap:UNSPEC HWaddr C0-A8-0E-01-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:10.2.2.1 P-t-P:10.2.2.2 Mask:255.255.255.252 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:49 errors:0 dropped:0 overruns:0 frame:0 TX packets:106 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:4836 (4.7 Kb) TX bytes:16229 (15.8 Kb) eth0 Link encap:Ethernet HWaddr 00:10:5A:D7:93:60 inet addr:192.168.14.1 Bcast:192.168.14.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2639 errors:0 dropped:0 overruns:0 frame:0 TX packets:2614 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:257278 (251.2 Kb) TX bytes:185819 (181.4 Kb) Interrupt:5 Base address:0xd800 eth1 Link encap:Ethernet HWaddr 52:54:05:E3:51:87 inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:10419 errors:0 dropped:0 overruns:0 frame:0 TX packets:6349 errors:0 dropped:0 overruns:0 carrier:0 collisions:137 txqueuelen:100 RX bytes:2674761 (2.5 Mb) TX bytes:612601 (598.2 Kb) Interrupt:9 Base address:0xd400 eth1:1 Link encap:Ethernet HWaddr 52:54:05:E3:51:87 inet addr:192.168.45.253 Bcast:192.168.45.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:9 Base address:0xd400 gre0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 NOARP MTU:1476 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:72 errors:0 dropped:0 overruns:0 frame:0 TX packets:72 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:5416 (5.2 Kb) TX bytes:5416 (5.2 Kb) [root@callisto:~#] iptunnel show gre0: gre/ip remote any local any ttl inherit nopmtudisc GRE: gre/ip remote 192.168.14.254 local 192.168.14.1 ttl 255 [root@callisto:~#] netstat -i Kernel Interface table Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg GRE 1476 0 56 0 0 0 113 0 0 0 OPRU eth0 1500 0 2717 0 0 0 2652 0 0 0 BMRU eth1 1500 0 10856 0 0 0 6767 0 0 0 BMRU eth1: 1500 0 - no statistics available - BMRU lo 16436 0 72 0 0 0 72 0 0 0 LRU [root@callisto:~#] ip -s tunnel gre0: gre/ip remote any local any ttl 255 RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts 0 0 0 0 0 0 TX: Packets Bytes Errors DeadLoop NoRoute NoBufs 0 0 0 0 0 0 GRE: gre/ip remote 192.168.14.254 local 192.168.14.1 ttl 255 RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts 56 5424 0 0 0 0 TX: Packets Bytes Errors DeadLoop NoRoute NoBufs 115 17511 0 0 0 0 [root@callisto:~#] netstat -rne Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10.0.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 GRE 10.2.2.0 0.0.0.0 255.255.255.252 U 0 0 0 GRE 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 192.168.14.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.45.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth1 scar# show running-config ... interface Tunnel0 ip address 10.2.2.2 255.255.255.252 tunnel source Ethernet1 tunnel destination 192.168.14.1 ! ip route 192.168.45.0 255.255.255.0 Tunnel0 ... scar# show interfaces tunnel 0 Tunnel0 is up, line protocol is up Hardware is Tunnel Internet address is 10.2.2.2/30 MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec, reliability 255/255, txload 1/255, rxload 1/255 Encapsulation TUNNEL, loopback not set Keepalive not set Tunnel source 192.168.14.254 (Ethernet1), destination 192.168.14.1 Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled Checksumming of packets disabled, fast tunneling enabled Last input 00:01:35, output 00:37:36, output hang never Last clearing of "show interface" counters never Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3 Queueing strategy: fifo Output queue :0/0 (size/max) 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 101 packets input, 13185 bytes, 0 no buffer Received 0 broadcasts, 0 runts, 0 giants, 0 throttles 0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort 47 packets output, 7204 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out scar# show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is 192.168.14.1 to network 0.0.0.0 C 192.168.14.0/24 is directly connected, Ethernet1 S 192.168.45.0/24 is directly connected, Tunnel0 10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks S 10.0.0.2/32 is directly connected, Tunnel0 C 10.2.2.0/30 is directly connected, Tunnel0 C 10.0.1.0/24 is directly connected, TokenRing0 C 10.0.0.1/32 is directly connected, Loopback0 S* 0.0.0.0/0 [1/0] via 192.168.14.1 scar# debug tunnel Tunnel Interface debugging is on scar# terminal monitor scar# ping 192.168.45.253 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 192.168.45.253, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms scar# 01:09:52: Tunnel0: GRE/IP encapsulated 192.168.14.254->192.168.14.1 (linktype=7, len=124) 01:09:52: Tunnel0: GRE/IP encapsulated 192.168.14.254->192.168.14.1 (linktype=7, len=124) 01:09:52: Tunnel0: GRE/IP encapsulated 192.168.14.254->192.168.14.1 (linktype=7, len=124) 01:09:52: Tunnel0: GRE/IP encapsulated 192.168.14.254->192.168.14.1 (linktype=7, len=124) 01:09:52: Tunnel0: GRE/IP encapsulated 192.168.14.254->192.168.14.1 (linktype=7, len=124)
Exercise 11-1: GRE Advanced Features
I suggest that you experiment with advanced GRE parameters such as sequencing and keys. Be aware, however, that this might introduce incompatibilities between the implementations