Tunneling is a way to transform data frames to allow them pass networks with incompatible address spaces or even incompatible protocols. There are different kinds of tunnels: some process only IPv4 packets and some can carry any type of frame. Linux kernel supports 3 tunnel types: IPIP (IPv4 in IPv4), GRE (IPv4/IPv6 over IPv4) and SIT (IPv6 over IPv4). Tunnels are managed with ip program, part of Iproute2:
$ /sbin/ip tunnel help Usage: ip tunnel { add | change | del | show } [ NAME ] [ mode { ipip | gre | sit } ] [ remote ADDR ] [ local ADDR ] [ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ] [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ dev PHYS_DEV ] Where: NAME := STRING ADDR := { IP_ADDRESS | any } TOS := { NUMBER | inherit } TTL := { 1..255 | inherit } KEY := { DOTTED_QUAD | NUMBER }
Iproute2 is usually shipped with documentation, of which you need the file ip-tunnels.ps to learn about tunnel management. In Fedora Core 4 it is /usr/share/doc/iproute-2.6.11/ip-tunnels.ps.
IPIP kind of tunnels is the simplest one. It has the lowest overhead, but can incapsulate only IPv4 unicast traffic, so you will not be able to setup OSPF, RIP or any other multicast-based protocol. You can setup only one tunnel for unique tunnel endpoints pair. It can work with FreeBSD and cisco IOS. Kernel module is 'ipip'. The following example demonstrates configuration of IPIP tunnel with four IPv4 routes, manually or via /etc/net.
# modprobe ipip # ip tunnel add ipiptun mode ipip local 10.3.3.3 remote 10.4.4.4 ttl 64 dev eth0 # ip addr add dev ipiptun 10.0.0.1 peer 10.0.0.2/32 # ip link set dev ipiptun up # ip route add 10.4.10.0/24 via 10.0.0.2 # ip route add 10.4.20.0/24 via 10.0.0.2 # ip route add 10.4.30.0/24 via 10.0.0.2 # ip route add 10.4.40.0/24 via 10.0.0.2
# mkdir /etc/net/ifaces/ipiptun # cat > /etc/net/ifaces/ipiptun/options TYPE=iptun TUNTYPE=ipip TUNLOCAL=10.3.3.3 TUNREMOTE=10.4.4.4 TUNOPTIONS='ttl 64' HOST=eth0 ^D # cat > /etc/net/ifaces/ipiptun/ipv4address 10.0.0.1 peer 10.0.0.2/32 ^D # cat > /etc/net/ifaces/ipiptun/ipv4route 10.4.10.0/24 via 10.0.0.2 10.4.20.0/24 via 10.0.0.2 10.4.30.0/24 via 10.0.0.2 10.4.40.0/24 via 10.0.0.2 ^D # ifup ipiptun
GRE tunnels can incapsulate IPv4/IPv6 unicast/multicast traffic, so it is de-facto tunnel standard for dynamic routed networks. You can setup up to 64K tunnels for an unique tunnel endpoints pair. It can work with FreeBSD and cisco IOS. Kernel module is 'ip_gre'. The following example demonstrates configuration of GRE tunnel with two IPv4 routes.
# modprobe ip_gre # ip tunnel add gretun mode gre local 10.5.5.5 remote 10.6.6.6 ttl 64 dev eth0 # ip add add dev gretun 10.0.0.3 peer 10.0.0.4/32 # ip link set dev gretun up # ip route add 10.6.10.0/24 via 10.0.0.4 # ip route add 10.6.20.0/24 via 10.0.0.4
# mkdir /etc/net/ifaces/gretun # cat > /etc/net/ifaces/gretun/options TYPE=iptun TUNTYPE=gre TUNLOCAL=10.5.5.5 TUNREMOTE=10.6.6.6 TUNOPTIONS='ttl 64' HOST=eth0 ^D # cat > /etc/net/ifaces/gretun/ipv4address 10.0.0.3 peer 10.0.0.4/32 ^D # cat > /etc/net/ifaces/gretun/ipv4route 10.6.10.0/24 via 10.0.0.4 10.6.20.0/24 via 10.0.0.4 ^D # ifup gretun
SIT stands for Simple Internet Transition. Its main purpose is to interconnect isolated IPv6 networks, located in global IPv4 Internet. SIT works like IPIP. It can work with FreeBSD and cisco IOS. Kernel module is 'ipv6'. Once loaded, ipv6 module can't be unloaded. You can get your own IPv6 prefix and a SIT tunnel from a tunnel broker. The following example demonstrates configuration of SIT tunnel with three IPv6 routes.
# modprobe ipv6 # ip tunnel add sittun mode sit local 10.7.7.7 remote 10.8.8.8 ttl 64 dev eth0 # ip addr add dev sittun 2001:0DB8:1234::000e/127 # ip link set dev sittun up # ip -6 route add 2001:0DB8:5678::/48 via 2001:0DB8:1234::000f # ip -6 route add 2001:0DB8:5679::/48 via 2001:0DB8:1234::000f # ip -6 route add 2001:0DB8:567a::/48 via 2001:0DB8:1234::000f
# mkdir /etc/net/ifaces/sittun # cat > /etc/net/ifaces/sittun/options TYPE=iptun TUNTYPE=sit CONFIG_IPV6=yes TUNLOCAL=10.7.7.7 TUNREMOTE=10.8.8.8 TUNOPTIONS='ttl 64' HOST=eth0 ^D # cat > /etc/net/ifaces/sittun/ipv4address 2001:0DB8:1234::000e/127 ^D # cat > /etc/net/ifaces/sittun/ipv4route 2001:0DB8:5678::/48 via 2001:0DB8:1234::000f 2001:0DB8:5679::/48 via 2001:0DB8:1234::000f 2001:0DB8:567a::/48 via 2001:0DB8:1234::000f ^D # ifup sittun