Penguin

IPIP is a method of creating a bare bones IP tunnel (no encryption, compression, or anything else) between two hosts, be they connected via InterNet or a LAN.

Example network

Let's say that we want to create an IP over IP link between two machines, Router A and Router B. These routers are both connected to the InterNet; you also need a network to use on the tunnel.

You need:

  • A kernel with support for IPIP built in, or built as a module.
  • The IP addresses of both tunnel endpoints.
  • IP address ranges that you want to tunnel.
  • You'll also need a name to give to the tunnel.

We will use the network '192.168.1.0/24' as the private network of the tunnel.

In the example below Router A and B have addreses in the same subnet - this is not a requirement; you can create a tunnel to a host on the other side of the internet if you want.

Router A:

  • has internet IP address 192.0.2.34
  • has private tunnel IP address 192.168.1.1

Router B:

  • has internet IP address 192.0.2.69
  • has private tunnel IP address 192.168.1.254

iproute sample setup

You can call your tunnel whatever you like: lets call ours tunnel0.

Router A

ip tunnel add tunnel0 mode ipip remote 192.0.2.69 local 192.0.2.34
ip link set tunnel0 up
ip addr add 192.168.1.1/24 dev tunnel0

Router B

ip tunnel add tunnel0 mode ipip remote 192.0.2.34 local 192.0.2.69
ip link set tunnel0 up
ip addr add 192.168.1.254/24 dev tunnel0

Skip to 'testing the tunnel'.

Debian sample setup

Router A

Edit /etc/network/interfaces:

auto tunnel0
iface tunnel0 inet static
  address 192.168.1.1
  netmask 255.255.255.0
  network 192.168.1.0
  broadcast 192.168.1.255
  pre-up /sbin/ip tunnel add tunnel0 mode ipip remote 192.0.2.69 local 192.0.2.34
  post-down /sbin/ip tunnel del tunnel0

Then execute

ifup tunnel0.

Router B

Edit /etc/network/interfaces:

auto tunnel0
iface tunnel0 inet static
  address 192.168.1.254
  netmask 255.255.255.0
  network 192.168.1.0
  broadcast 192.168.1.255
  pre-up /sbin/ip tunnel add tunnel0 mode ipip remote 192.0.2.34 local 192.0.2.69
  post-down /sbin/ip tunnel del tunnel0

Then execute

ifup tunnel0

Testing your tunnel

After you have configured your tunnel via one of the examples above you should be able to ping the remote end:

Router A

ping 192.168.1.254

Router B

ping 192.168.1.1

Both pings should succeed without problems.

Using your tunnel

  • You can now use your tunnel - just pretend it's a piece of Ethernet between the two computers.
  • Remember the MTU on the tunnel will be lower than normal because of the extra IP header.
  • You can setup routing and whatever you like over the tunnel.
  • If you lose your route to the tunnel endpoint, the tunnel will not work either.

More complex situations

When tunneling between 2 routers, and 1 router has a private network on another interface, routing between the two can be confusing. Here is the network layout:

Router 1
eth0: 1.2.3.4 (public)
Router 2
eth0: 4.3.2.1 (public)
eth1: 10.0.0.1

In my particular case, Router 1 is an asterisk system on a public network, and Router 2 is a NAT router that is also a gateway for my private 10.0.0.0/24 network. I have multiple SIP phones (which don't work through NAT) on the 10.0.0.0/24 network and I need to establish routes between the 2.

IN THIS ORDER ENTER THESE COMMANDS

Router 1
iptunnel add iptun mode ipip remote 4.3.2.1
ifconfig iptun 10.0.1.1
route add -net 10.0.2.0/24 dev iptun
Router 2
iptunnel add iptun mode ipip remote 1.2.3.4
ifconfig iptun 10.0.2.1
route add -net 10.0.1.0/24 dev iptun
Router 1
route add -net 10.0.0.0/24 dev iptun
route add -net 10.0.0.0/24 gw 10.0.0.1

Now from Router 2 you can ping any device on the 10.0.0.0/24 network behind Router 1, and from any device on the 10.0.0.0/24 network, you can ping Router 1 using the address 10.0.1.1

If anyone has a better way of doing this, using IPIP or GRE, or knows how to use MobileIP in this situation, please email me: zip@andrewhodel.com. I know I can accomplish this using IPSec or something of the like, however that is not my goal.


See the IPSec page for another tunneling option.

CategoryNotes