Home
Main website
Display Sidebar
Hide Ads
Recent Changes
View Source:
GRETunnel
Edit
PageHistory
Diff
Info
LikePages
I started having a look at [GRE] as a way to connect a cisco user to the MetaNet. There isn't much chance of porting WANd/Etud to IOS, so we have to make do with a protocol IOS understands already, and thankfully IOS does GRE well. We could have used [PPTP] as well, but it was messier. I refer to the [Linux 2.4 Advanced Routing HOWTO |http://www.linuxguruz.org/iptables/howto/2.4routing-5.html] for most of this. In order to simplify things, I wrote a simple script to run at each end, although its entirely probably that there are better system scripts to use for this sort of thing. To do GRE Tunneling, you need a few things first: * the linux 2.4.x series kernel (or later) * the iproute package. This provides /sbin/ip, and the new codeset for the network API under 2.4 * the ip_gre module (CONFIG_NET_IPGRE) * maybe a few more options, I cant remember. :) The URL mentioned above covers things fairly nicely, but it took a little bit of playing to get things working nicely. As a note, if you are running a firewall on your external interface, make sure that you are allowing protocol 47 (GRE) in. eg iptables -A in --protocol gre -J ACCEPT --------------------- #!/bin/sh NAME="gre0" REMOTEIP="ip.of.other.end" LOCALIP="ip.of.this.end" NETWORK="remote network address NETBITS="remote network netbits (eg, /24)" TUNNEL_LOCAL="ip.of.gre0.here" IP="/sbin/ip" ${IP} tunnel add ${NAME} mode gre remote ${REMOTEIP} local ${LOCALIP} ttl 255 ${IP} link set ${NAME} up ${IP} addr add ${TUNNEL_LOCAL} dev ${NAME} ${IP} route add ${NETWORK}/${NETBITS} dev ${NAME} --------------------- So this script can be set up at either end - obviously make sure that the REMOTEIP, LOCALIP, NETWORK, NETBITS and TUNNEL_LOCAL values are set appropriately. once this works, you should be able to ping hosts across the tunnel. If you find it doesn't work, try tcpdumping the interface (in this case, gre0). I found I was seeing icmp echo-requests and echo-responses, but they weren't actually being delivered. Turns out my firewall on ppp0 was dropping the gre protocol on the floor. If you dont see any responses, it might be that the other end is dropping gre on the floor. if you want to bring a tunnel down... ---------------------- #!/bin/sh NAME="gre0" IP="/sbin/ip" ${IP} link set ${NAME} down ${IP} tunnel del ${NAME} ---------------------- ---- !For Cisco Routers This sample config is done with a Cisco 2514 router. In this example the outside interface (internet side) is Ethernet 1, and LAN interface is Ethernet 0. ---------------------- __router#__config t%%% __router(config)#__interface tunnel 0%%% __router(config-if)#__ip address ''<<ip.of.gre0.here>> <<subnet mask>>''%%% __router(config-if)#__tunnel source ethernet 1 (or ''<<ip.of.this.end>>'')%%% __router(config-if)#__tunnel destination ''<<ip.of.other.end>>''%%% __router(config)__#ip route 10.0.0.0 255.0.0.0 tunnel 0%%% __router(config)__#end%%% ---------------------- To verify the VPN is working *show ip int tunnel0 *show ip route *ping ''<<ip.of.gre0.at.other.end>>'' Other considerations *MTU size may need to be adjusted due to the increased overall length of the ethernet frame *The VPN is not secure until the crypto maps have been applied *Don't forget about your ACLs (if you have any), you can add this ACE access-list ''<<extended IP ACL>>'' permit gre host ''<<ip.of.other.end>>'' host ''<<ip.of.this.end>>''
2 pages link to
GRETunnel
:
TunnelNotes
MetaNetInstallation