In theory, GRE could encapsulate any Layer 3 protocol with a valid Ethernet type, unlike IPIP, which can only encapsulate IP. GRE tunneling adds an additional GRE header between the inside and outside IP headers. Generic Routing Encapsulation, also known as GRE, is defined in RFC 2784 You can also configure IPsec via libreswan or strongSwan. # ip xfrm policy add dir out tmpl src LOCAL_IPv4_ADDR dst REMOTE_IPv4_ADDR PROTO mode tunnel mark VTI_KEY # ip xfrm policy add dir in tmpl src REMOTE_IPv4_ADDR dst LOCAL_IPv4_ADDR PROTO mode tunnel mark VTI_KEY # ip xfrm state add src REMOTE_IPv4_ADDR dst LOCAL_IPv4_ADDR spi SPI PROTO ALGR mode tunnel # ip xfrm state add src LOCAL_IPv4_ADDR dst REMOTE_IPv4_ADDR spi SPI PROTO ALGR mode tunnel # ip addr add LOCAL_VIRTUAL_ADDR/24 dev vti1 Here is how to create a VTI tunnel: # ip link add name vti1 type vti key VTI_KEY local LOCAL_IPv4_ADDR remote REMOTE_IPv4_ADDR In general, VTI tunnels operate in almost the same way as ipip or sit tunnels, except that they add a fwmark and IPsec encapsulation/decapsulation. This particular tunneling driver implements IP encapsulations, which can be used with xfrm to give the notion of a secure tunnel and then use kernel routing on top. Virtual Tunnel Interface (VTI) on Linux is similar to Cisco's VTI and Juniper's implementation of secure tunnel (st.xx). Here is how to create an ip6tnl tunnel: # ip link add name ipip6 type ip6tnl local LOCAL_IPv6_ADDR remote REMOTE_IPv6_ADDR mode any VTI and VTI6 When the ip6tnl module is loaded, the Linux kernel will create a default device, named ip6tnl0. Mode ipip6 is IPv4 over IPv6, and mode ip6ip6 is IPv6 over IPv6, and mode any supports both IPv4/IPv6 over IPv6. Ip6tnl supports modes ip6ip6, ipip6, any. Ip6tnl is an IPv4/IPv6 over IPv6 tunnel interface, which looks like an IPv6 version of the SIT tunnel. Then, perform the same steps on the remote side. # ip addr add INTERNAL_IPV4_ADDR/24 dev sit1 # ip link add name sit1 type sit local LOCAL_IPv4_ADDR remote REMOTE_IPv4_ADDR mode any Here is how to create a SIT tunnel: On Server A: When the sit module is loaded, the Linux kernel will create a default device, named sit0. SIT tunnel also supports ISATA, and here is a usage example. Mode any is used to accept both IP and IPv6 traffic, which may prove useful in some deployments. After years of development, however, it acquired support for several different modes, such as ipip (the same with IPIP tunnel), ip6ip, mplsip, and any. Initially, it only had an IPv6 over IPv4 tunneling mode. The main purpose is to interconnect isolated IPv6 networks, located in global IPv4 internet. SIT stands for Simple Internet Transition. Note: Please replace LOCAL_IPv4_ADDR, REMOTE_IPv4_ADDR, INTERNAL_IPV4_ADDR, REMOTE_INTERNAL_SUBNET to the addresses based on your testing environment. # ip route add REMOTE_INTERNAL_SUBNET/24 dev ipip0 # ip addr add INTERNAL_IPV4_ADDR/24 dev ipip0Īdd a remote internal subnet route if the endpoints don't belong to the same subnet # ip link add name ipip0 type ipip local LOCAL_IPv4_ADDR remote REMOTE_IPv4_ADDR Here is how to create an IPIP tunnel: On Server A: When receiving IPIP protocol packets, the kernel will forward them to tunl0 as a fallback device if it can't find another device whose local/remote attributes match their source or destination address more closely. Note: When the ipip module is loaded, or an IPIP device is created for the first time, the Linux kernel will create a tunl0 default device in each namespace, with attributes local=any and remote=any. IPIP tunnel supports both IP over IP and MPLS over IP. That means you cannot send multicast via IPIP tunnel. It has the lowest overhead but can only transmit IPv4 unicast traffic. It's typically used to connect two internal IPv4 subnets through public IPv4 internet. IPIP tunnel, just as the name suggests, is an IP over IP tunnel, defined in RFC 2003. This post covers the following frequently used interfaces:Īfter reading this article, you will know what these interfaces are, the differences between them, when to use them, and how to create them. A list of tunnel interfaces, as well as help on specific tunnel configuration, can be obtained by issuing the iproute2 command ip link help. Anyone with a network background might be interested in this information. There is no code analysis, only a brief introduction to the interfaces and their usage on Linux. In this article, I will give a brief introduction for commonly used tunnel interfaces in the Linux kernel. Linux has supported many kinds of tunnels, but new users may be confused by their differences and unsure which one is best suited for a given use case.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |