GRE Tunnelling Guide

Introduction

This document provides an introduction to Generic Routing Encapsulation (GRE) tunnels and how to configure them.

GRE is an encapsulation method for tunnelling data packets over a routing protocol. It is specified in RFC 2784. It can encapsulate arbitrary data packets over an arbitrary delivery protocol, but the most common use is to create an IP over IP tunnel. Which is also what is currently supported.

GRE works by adding a special (GRE) header in front of the encapsulated packet. It is a stateless protocol and it does not provide any security features at all; it lacks encryption and authentication, and it does not detect lost packets, replay attacks or other spoof attacks.

Secure tunnelling can be achieved by setting up GRE over an IPsec VPN.

A GRE tunnel is defined by its endpoints, the beginning and the end of the tunnel. An endpoint is defined by a routable address, defined by the delivery protocol, typically a public IP address. The following section describes a common example.

IP-in-IP Tunnel

GRE can be used as a generic IP-in-IP tunnel. E.g., if GW1 and GW2 are NAT gateways, a GRE tunnel can be used to tunnel traffic between local subnets, here 192.168.1.0/24 and 192.168.2.0/24. The tunnel endpoints 10.0.72.29 and 10.0.38.33 should be routable IP addresses over the shared intranet, or Internet.

                            .--.-.
                           ( (    )__
                          (_,  \ ) ,_)  Internet/Intranet
                            '-'--`--'
           10.0.72.0/24      |    |        10.0.38.0/24
          .------------------'    '--------------------.
          |                                            |
          |.29                                         |.33
      .---+---.                                    .---+---.
      |       |            GRE Tunnel              |       |
      |  GW1  |====================================|  GW2  |
      |       |                                    |       |
      '---+---'                                    '---+---'
          |.1                                          |.1
          |     192.168.1.0/24      192.168.2.0/24     |
---+------+---+---------------      ---+----------+----+----
   |          |                        |          |
   |.11       |.5                      |.11       |.5
 .-+--.     .-+--.                   .-+--.     .-+--.
 | H1 |     | H2 |                   | H3 |     | H4 |
 '----'     '----'                   '----'     '----'

Figure 1: IP-in-IP tunnel with GRE

The Protocol

GRE is a generic protocol intended to encapsulate any protocol. Currently only IP (v4 or v6) in IP (v4 and v6) is supported. The below figure illustrates the structure of a packet when IP is tunnelled through GRE over IP.

By default, GRE traffic is sent on a per-packet basis by consulting the routing table, like any other IP packet. It is, however, also possible to configure the GRE tunnel to only use a specific network interface.

.-----------------------------------------------------------------------------------------------.
| GRE Delivery protocol - Outer IP Header | GRE Header | GRE Payload - Inner IP header and body |
|-----------------------------------------|------------|----------------------------------------|
| Dest IP | Src IP | TTL |      ...       |    ...     | Dest IP | Src IP | TTL |      ...      |
'-----------------------------------------------------------------------------------------------'

Figure 2: Packet header and payload for IP in GRE over IP

The IP addresses in the outer IP header are the addresses of the endpoints while the addresses in the inner IP header is the addresses of the sending and receiving hosts.

The TTL of the outer IP header (see Figure 1) is by default set equal to the TTL of the encapsulated IP packet. It is possible to configure a specific TTL for the outer header for each GRE tunnel.

The checksum field in the GRE header is an optional field in the protocol and is unset in packets transmitted by WeOS. However, if a checksum is included in received packets it is validated.

Configuration

GRE tunnels are configured in two steps:

  1. First the tunnel is created and defined with its endpoints, which defines the route of the GRE packets
  2. Then a new (GRE) network interface is created

The second step is to configure the GRE interface to enable routing, through the GRE tunnel, of the encapsulated IP packets.

GRE Tunnel

example:/#> configure
example:/config/#> tunnel
example:/config/tunnel/#> gre N
example:/config/tunnel/gre-N#>

N: unique instance number for each GRE tunnel (0-255)

local ADDR
IP address for local endpoint
remote ADDR
IP address for remote endpoint

GRE Interface

example:/config/tunnel/gre-1#> end
example:/config/tunnel/#> end
example:/config/#> iface greN
example:/config/iface-greN/#>

N: the corresponding instance number of the previously created GRE tunnel

inet static ADDR[/LEN]

Set the IP address of the GRE interface

ADDR
the IP address for the GRE interface
LEN
the length of the netmask