GRE Tunnelling Guide
Introduction
This document provides an introduction to Generic Routing Encapsulation (GRE) tunnels and how to configure them.
GRE is an encapsulation method for tunnelling data packets over a routing protocol. It is specified in RFC 2784. It can encapsulate arbitrary data packets over an arbitrary delivery protocol, but the most common use is to create an IP over IP tunnel. Which is also what is currently supported.
GRE works by adding a special (GRE) header in front of the encapsulated packet. It is a stateless protocol and it does not provide any security features at all; it lacks encryption and authentication, and it does not detect lost packets, replay attacks or other spoof attacks.
Secure tunnelling can be achieved by setting up GRE over an IPsec VPN.
A GRE tunnel is defined by its endpoints, the beginning and the end of the tunnel. An endpoint is defined by a routable address, defined by the delivery protocol, typically a public IP address. The following section describes a common example.
IP-in-IP Tunnel
GRE can be used as a generic IP-in-IP tunnel. E.g., if GW1 and GW2 are NAT gateways, a GRE tunnel can be used to tunnel traffic between local subnets, here 192.168.1.0/24 and 192.168.2.0/24. The tunnel endpoints 10.0.72.29 and 10.0.38.33 should be routable IP addresses over the shared intranet, or Internet.
.--.-. ( ( )__ (_, \ ) ,_) Internet/Intranet '-'--`--' 10.0.72.0/24 | | 10.0.38.0/24 .------------------' '--------------------. | | |.29 |.33 .---+---. .---+---. | | GRE Tunnel | | | GW1 |====================================| GW2 | | | | | '---+---' '---+---' |.1 |.1 | 192.168.1.0/24 192.168.2.0/24 | ---+------+---+--------------- ---+----------+----+---- | | | | |.11 |.5 |.11 |.5 .-+--. .-+--. .-+--. .-+--. | H1 | | H2 | | H3 | | H4 | '----' '----' '----' '----'
Figure 1: IP-in-IP tunnel with GRE
The Protocol
GRE is a generic protocol intended to encapsulate any protocol. Currently only IP (v4 or v6) in IP (v4 and v6) is supported. The below figure illustrates the structure of a packet when IP is tunnelled through GRE over IP.
By default, GRE traffic is sent on a per-packet basis by consulting the routing table, like any other IP packet. It is, however, also possible to configure the GRE tunnel to only use a specific network interface.
.-----------------------------------------------------------------------------------------------. | GRE Delivery protocol - Outer IP Header | GRE Header | GRE Payload - Inner IP header and body | |-----------------------------------------|------------|----------------------------------------| | Dest IP | Src IP | TTL | ... | ... | Dest IP | Src IP | TTL | ... | '-----------------------------------------------------------------------------------------------'
Figure 2: Packet header and payload for IP in GRE over IP
The IP addresses in the outer IP header are the addresses of the endpoints while the addresses in the inner IP header is the addresses of the sending and receiving hosts.
The TTL of the outer IP header (see Figure 1) is by default set equal to the TTL of the encapsulated IP packet. It is possible to configure a specific TTL for the outer header for each GRE tunnel.
The checksum field in the GRE header is an optional field in the protocol and is unset in packets transmitted by WeOS. However, if a checksum is included in received packets it is validated.
Configuration
GRE tunnels are configured in two steps:
- First the tunnel is created and defined with its endpoints, which defines the route of the GRE packets
- Then a new (GRE) network interface is created
The second step is to configure the GRE interface to enable routing, through the GRE tunnel, of the encapsulated IP packets.
GRE Tunnel
example:/#> configure example:/config/#> tunnel example:/config/tunnel/#> gre N example:/config/tunnel/gre-N#>
N
: unique instance number for each GRE tunnel (0-255)
local ADDR
- IP address for local endpoint
remote ADDR
- IP address for remote endpoint
GRE Interface
example:/config/tunnel/gre-1#> end example:/config/tunnel/#> end example:/config/#> iface greN example:/config/iface-greN/#>
N
: the corresponding instance number of the previously created GRE tunnel
inet static ADDR[/LEN]
-
Set the IP address of the GRE interface
ADDR
- the IP address for the GRE interface
LEN
- the length of the netmask