GRE Tunnelling Guide
Introduction
This document provides an introduction to Generic Routing Encapsulation (GRE) tunnels and how to configure them.
GRE is an encapsulation method for tunnelling data packets over a routing protocol. It is specified in RFC 2784. It can encapsulate arbitrary data packets over an arbitrary delivery protocol, but the most common use is to create an IP over IP tunnel. Which is also what is currently supported.
GRE works by adding a special (GRE) header in front of the encapsulated packet. It is a stateless protocol and it does not provide any security features at all; it lacks encryption and authentication, and it does not detect lost packets, replay attacks or other spoof attacks.
Secure tunnelling can be achieved by setting up GRE over an IPsec VPN.
A GRE tunnel is defined by its endpoints, the beginning and the end of the tunnel. An endpoint is defined by a routable address, defined by the delivery protocol, typically a public IP address. The following section describes a common example.
IP-in-IP Tunnel
GRE can be used as a generic IP-in-IP tunnel. E.g., if GW1 and GW2 are NAT gateways, a GRE tunnel can be used to tunnel traffic between local subnets, here 192.168.1.0/24 and 192.168.2.0/24. The tunnel endpoints 10.0.72.29 and 10.0.38.33 should be routable IP addresses over the shared intranet, or Internet.
.--.-.
( ( )__
(_, \ ) ,_) Internet/Intranet
'-'--`--'
10.0.72.0/24 | | 10.0.38.0/24
.------------------' '--------------------.
| |
|.29 |.33
.---+---. .---+---.
| | GRE Tunnel | |
| GW1 |====================================| GW2 |
| | | |
'---+---' '---+---'
|.1 |.1
| 192.168.1.0/24 192.168.2.0/24 |
---+------+---+--------------- ---+----------+----+----
| | | |
|.11 |.5 |.11 |.5
.-+--. .-+--. .-+--. .-+--.
| H1 | | H2 | | H3 | | H4 |
'----' '----' '----' '----'
The Protocol
GRE is a generic protocol intended to encapsulate any protocol. Currently only IP (v4 or v6) in IP (v4 and v6) is supported. The below figure illustrates the structure of a packet when IP is tunnelled through GRE over IP.
By default, GRE traffic is sent on a per-packet basis by consulting the routing table, like any other IP packet. It is, however, also possible to configure the GRE tunnel to only use a specific network interface.
.-----------------------------------------------------------------------------------------------.
| GRE Delivery protocol - Outer IP Header | GRE Header | GRE Payload - Inner IP header and body |
|-----------------------------------------|------------|----------------------------------------|
| Dest IP | Src IP | TTL | ... | ... | Dest IP | Src IP | TTL | ... |
'-----------------------------------------------------------------------------------------------'
The IP addresses in the outer IP header are the addresses of the endpoints while the addresses in the inner IP header is the addresses of the sending and receiving hosts.
The TTL of the outer IP header (see Figure 1) is by default set equal to the TTL of the encapsulated IP packet. It is possible to configure a specific TTL for the outer header for each GRE tunnel.
The checksum field in the GRE header is an optional field in the protocol and is unset in packets transmitted by WeOS. However, if a checksum is included in received packets it is validated.
Configuration
GRE tunnels are configured in two steps:
- First the tunnel is created and defined with its endpoints, which defines the route of the GRE packets
- Then a new (GRE) network interface is created
The second step is to configure the GRE interface to enable routing, through the GRE tunnel, of the encapsulated IP packets.
Optional tunnel parameters will use default values if not configured. Tunnel endpoints must always be specified.
GRE Tunnel
example:/#> configure example:/config/#> tunnel example:/config/tunnel/#> gre N example:/config/tunnel/gre-N#> local ADDR_LOC example:/config/tunnel/gre-N#> remote ADDR_REM
N
- unique instance number for each GRE tunnel (0-255)
ADDR_LOC
- IP address for local endpoint
ADDR_REM
- IP address for remote endpoint
Optional: Configure the GRE tunnel allow traffic only via a specific network interface.
example:/config/tunnel/gre-N#> outbound IFACE
N
- unique instance number for each GRE tunnel (0-255)
IFACE
- network interface to be used for GRE tunnel traffic
Optional: Configure the TTL of the outer IP header
example:/config/tunnel/gre-N#> ttl TTL_OUT
N
- unique instance number for each GRE tunnel (0-255)
TTL_OUT
- TTL for the outer header of the GRE tunnel
Optional: Set GRE tunnel description.
example:/config/tunnel/gre-N#> description TEXT
N
- unique instance number for each GRE tunnel (0-255)
TEXT
- Free form description of this GRE tunnel
GRE Interface
Any GRE can have an IP address assigned to it. This can be done under the specified interface settings, see example.
example:/config/tunnel/gre-1#> end example:/config/tunnel/#> end example:/config/#> iface greN example:/config/iface-greN/#>
N
- the corresponding instance number of the previously created GRE tunnel
We can use any supported method to assigning an IP address. In this example we will assign a static address.
example:/config/iface-greN/#> inet static ADDR[/LEN]
N
- the corresponding instance number of the previously created GRE tunnel
ADDR
- the IP address for the GRE interface
LEN
- the length of the netmask