Penguin
Recent Changes
Annotated edit history of GRETunnel version 4, including all changes. View license author blame.
Rev Author # Line
1 DanielLawson 1 I started having a look at [GRE] as a way to connect a cisco user to the MetaNet. There isn't much chance of porting WANd/Etud to IOS, so we have to make do with a protocol IOS understands already, and thankfully IOS does GRE well. We could have used [PPTP] as well, but it was messier.
2
3 I refer to the [Linux 2.4 Advanced Routing HOWTO |http://www.linuxguruz.org/iptables/howto/2.4routing-5.html] for most of this. In order to simplify things, I wrote a simple script to run at each end, although its entirely probably that there are better system scripts to use for this sort of thing.
4
5 To do GRE Tunneling, you need a few things first:
6
7 * the linux 2.4.x series kernel (or later)
8 * the iproute package. This provides /sbin/ip, and the new codeset for the network API under 2.4
9 * the ip_gre module (CONFIG_NET_IPGRE)
10 * maybe a few more options, I cant remember. :)
11
12 The URL mentioned above covers things fairly nicely, but it took a little bit of playing to get things working nicely.
13
14 As a note, if you are running a firewall on your external interface, make sure that you are allowing protocol 47 (GRE) in. eg
15
2 DanielLawson 16 iptables -A in --protocol gre -J ACCEPT
1 DanielLawson 17
18
19 ---------------------
20
21 #!/bin/sh
22 NAME="gre0"
23 REMOTEIP="ip.of.other.end"
24 LOCALIP="ip.of.this.end"
25
26 NETWORK="remote network address
27 NETBITS="remote network netbits (eg, /24)"
28
29 TUNNEL_LOCAL="ip.of.gre0.here"
30
31 IP="/sbin/ip"
32 ${IP} tunnel add ${NAME} mode gre remote ${REMOTEIP} local ${LOCALIP} ttl 255
33 ${IP} link set ${NAME} up
34 ${IP} addr add ${TUNNEL_LOCAL} dev ${NAME}
35 ${IP} route add ${NETWORK}/${NETBITS} dev ${NAME}
36
37 ---------------------
38
39 So this script can be set up at either end - obviously make sure that the REMOTEIP, LOCALIP, NETWORK, NETBITS and TUNNEL_LOCAL values are set appropriately.
40
41 once this works, you should be able to ping hosts across the tunnel. If you find it doesn't work, try tcpdumping the interface (in this case, gre0). I found I was seeing icmp echo-requests and echo-responses, but they weren't actually being delivered. Turns out my firewall on ppp0 was dropping the gre protocol on the floor. If you dont see any responses, it might be that the other end is dropping gre on the floor.
42
43 if you want to bring a tunnel down...
44
45 ----------------------
46
47 #!/bin/sh
48 NAME="gre0"
49 IP="/sbin/ip"
50
51 ${IP} link set ${NAME} down
52 ${IP} tunnel del ${NAME}
53
54 ----------------------
3 LindsayDruett 55
56 ----
57 !For Cisco Routers
58
59 This sample config is done with a Cisco 2514 router. In this example the outside interface (internet side) is Ethernet 1, and LAN interface is Ethernet 0.
60
61 ----------------------
62 __router#__config t%%%
63 __router(config)#__interface tunnel 0%%%
64 __router(config-if)#__ip address ''<<ip.of.gre0.here>> <<subnet mask>>''%%%
65 __router(config-if)#__tunnel source ethernet 1 (or ''<<ip.of.this.end>>'')%%%
66 __router(config-if)#__tunnel destination ''<<ip.of.other.end>>''%%%
67 __router(config)__#ip route 10.0.0.0 255.0.0.0 tunnel 0%%%
68 __router(config)__#end%%%
69 ----------------------
70
71 To verify the VPN is working
72 *show ip int tunnel0
73 *show ip route
4 LindsayDruett 74 *ping ''<<ip.of.gre0.at.other.end>>''
3 LindsayDruett 75
76 Other considerations
77
78 *MTU size may need to be adjusted due to the increased overall length of the ethernet frame
79 *The VPN is not secure until the crypto maps have been applied
80 *Don't forget about your ACLs (if you have any), you can add this ACE
81 access-list ''<<extended IP ACL>>'' permit gre host ''<<ip.of.other.end>>'' host ''<<ip.of.this.end>>''