User Tools

Site Tools


networking:tunneling

tunneling

Contents

Introduction

Tunneling is a way to transform data frames to allow them pass networks with incompatible address spaces or even incompatible protocols. There are different kinds of tunnels: some process only IPv4 packets and some can carry any type of frame. Linux kernel supports 3 tunnel types: IPIP (IPv4 in IPv4), GRE (IPv4/IPv6 over IPv4) and SIT (IPv6 over IPv4). Tunnels are managed with ip program, part of Iproute2:

 $ /sbin/ip tunnel help
 Usage: ip tunnel { add | change | del | show } [ NAME ]
           [ mode { ipip | gre | sit } ] [ remote ADDR ] [ local ADDR ]
           [ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ]
           [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ] [ dev PHYS_DEV ]
 
 Where: NAME := STRING
        ADDR := { IP_ADDRESS | any }
        TOS  := { NUMBER | inherit }
        TTL  := { 1..255 | inherit }
        KEY  := { DOTTED_QUAD | NUMBER }

Iproute2 is usually shipped with documentation, of which you need the file ip-tunnels.ps to learn about tunnel management. In Fedora Core 4 it is /usr/share/doc/iproute-2.6.11/ip-tunnels.ps.

IPIP tunnels

IPIP kind of tunnels is the simplest one. It has the lowest overhead, but can incapsulate only IPv4 unicast traffic, so you will not be able to setup OSPF, RIP or any other multicast-based protocol. You can setup only one tunnel for unique tunnel endpoints pair. It can work with FreeBSD and cisco IOS. Kernel module is 'ipip'. The following example demonstrates configuration of IPIP tunnel with four IPv4 routes, manually or via /etc/net.

Manual configuration example

 # modprobe ipip
 # ip tunnel add ipiptun mode ipip local 10.3.3.3 remote 10.4.4.4 ttl 64 dev eth0
 # ip addr add dev ipiptun 10.0.0.1 peer 10.0.0.2/32
 # ip link set dev ipiptun up
 # ip route add 10.4.10.0/24 via 10.0.0.2
 # ip route add 10.4.20.0/24 via 10.0.0.2
 # ip route add 10.4.30.0/24 via 10.0.0.2
 # ip route add 10.4.40.0/24 via 10.0.0.2

/etc/net configuration example

 # mkdir /etc/net/ifaces/ipiptun
 # cat > /etc/net/ifaces/ipiptun/options
 TYPE=iptun
 TUNTYPE=ipip
 TUNLOCAL=10.3.3.3
 TUNREMOTE=10.4.4.4
 TUNOPTIONS='ttl 64'
 HOST=eth0
 ^D
 # cat > /etc/net/ifaces/ipiptun/ipv4address
 10.0.0.1 peer 10.0.0.2/32
 ^D
 # cat > /etc/net/ifaces/ipiptun/ipv4route
 10.4.10.0/24 via 10.0.0.2
 10.4.20.0/24 via 10.0.0.2
 10.4.30.0/24 via 10.0.0.2
 10.4.40.0/24 via 10.0.0.2
 ^D
 # ifup ipiptun

GRE tunnels

GRE tunnels can incapsulate IPv4/IPv6 unicast/multicast traffic, so it is de-facto tunnel standard for dynamic routed networks. You can setup up to 64K tunnels for an unique tunnel endpoints pair. It can work with FreeBSD and cisco IOS. Kernel module is 'ip_gre'. The following example demonstrates configuration of GRE tunnel with two IPv4 routes.

Manual configuration example

 # modprobe ip_gre
 # ip tunnel add gretun mode gre local 10.5.5.5 remote 10.6.6.6 ttl 64 dev eth0
 # ip add add dev gretun 10.0.0.3 peer 10.0.0.4/32
 # ip link set dev gretun up
 # ip route add 10.6.10.0/24 via 10.0.0.4
 # ip route add 10.6.20.0/24 via 10.0.0.4

/etc/net configuration example

 # mkdir /etc/net/ifaces/gretun
 # cat > /etc/net/ifaces/gretun/options
 TYPE=iptun
 TUNTYPE=gre
 TUNLOCAL=10.5.5.5
 TUNREMOTE=10.6.6.6
 TUNOPTIONS='ttl 64'
 HOST=eth0
 ^D
 # cat > /etc/net/ifaces/gretun/ipv4address
 10.0.0.3 peer 10.0.0.4/32
 ^D
 # cat > /etc/net/ifaces/gretun/ipv4route
 10.6.10.0/24 via 10.0.0.4
 10.6.20.0/24 via 10.0.0.4
 ^D
 # ifup gretun

SIT tunnels

SIT stands for Simple Internet Transition. Its main purpose is to interconnect isolated IPv6 networks, located in global IPv4 Internet. SIT works like IPIP. It can work with FreeBSD and cisco IOS. Kernel module is 'ipv6'. Once loaded, ipv6 module can't be unloaded. You can get your own IPv6 prefix and a SIT tunnel from a tunnel broker. The following example demonstrates configuration of SIT tunnel with three IPv6 routes.

Manual configuration example

 # modprobe ipv6
 # ip tunnel add sittun mode sit local 10.7.7.7 remote 10.8.8.8 ttl 64 dev eth0
 # ip addr add dev sittun 2001:0DB8:1234::000e/127
 # ip link set dev sittun up
 # ip -6 route add 2001:0DB8:5678::/48 via 2001:0DB8:1234::000f
 # ip -6 route add 2001:0DB8:5679::/48 via 2001:0DB8:1234::000f
 # ip -6 route add 2001:0DB8:567a::/48 via 2001:0DB8:1234::000f

/etc/net configuration example

 # mkdir /etc/net/ifaces/sittun
 # cat > /etc/net/ifaces/sittun/options
 TYPE=iptun
 TUNTYPE=sit
 CONFIG_IPV6=yes
 TUNLOCAL=10.7.7.7
 TUNREMOTE=10.8.8.8
 TUNOPTIONS='ttl 64'
 HOST=eth0
 ^D
 # cat > /etc/net/ifaces/sittun/ipv4address
 2001:0DB8:1234::000e/127
 ^D
 # cat > /etc/net/ifaces/sittun/ipv4route
 2001:0DB8:5678::/48 via 2001:0DB8:1234::000f
 2001:0DB8:5679::/48 via 2001:0DB8:1234::000f
 2001:0DB8:567a::/48 via 2001:0DB8:1234::000f
 ^D
 # ifup sittun
networking/tunneling.txt · Last modified: 2019/09/21 12:14 by soren