version 2, including all changes.
.
| Rev |
Author |
# |
Line |
| 1 |
CraigBox |
1 |
[IPIP] is a method of creating a bare bones [IP] tunnel (no encryption, compression, or anything else) between two hosts, be they connected via InterNet or a [LAN]. |
| |
|
2 |
|
| |
|
3 |
!!! Example network |
| |
|
4 |
|
| |
|
5 |
Let's say that we want to create an IP over IP link between two machines, Router A and Router B. These routers are both connected to the InterNet; you also need a network to use on the tunnel. |
| |
|
6 |
|
| |
|
7 |
You need: |
| |
|
8 |
|
| |
|
9 |
* A kernel with support for [IPIP] built in, or built as a module. |
| |
|
10 |
* The [IP] addresses of both tunnel endpoints. |
| |
|
11 |
* [IP] address ranges that you want to tunnel. |
| |
|
12 |
* You'll also need a name to give to the tunnel. |
| |
|
13 |
|
| |
|
14 |
We will use the network '192.168.1.0/24' as the private network of the tunnel. |
| |
|
15 |
|
| |
|
16 |
In the example below Router A and B have addreses in the same subnet - this is not a requirement; you can create a tunnel to a host on the other side of the internet if you want. |
| |
|
17 |
|
| |
|
18 |
Router A: |
| |
|
19 |
|
| |
|
20 |
* has internet IP address 192.0.2.34 |
| |
|
21 |
* has private tunnel IP address 192.168.1.1 |
| |
|
22 |
|
| |
|
23 |
Router B: |
| |
|
24 |
|
| |
|
25 |
* has internet IP address 192.0.2.69 |
| |
|
26 |
* has private tunnel IP address 192.168.1.254 |
| |
|
27 |
|
| |
|
28 |
!! iproute sample setup |
| |
|
29 |
|
| |
|
30 |
You can call your tunnel whatever you like: lets call ours ''tunnel0''. |
| |
|
31 |
|
| |
|
32 |
!Router A |
| |
|
33 |
<pre> |
| |
|
34 |
ip tunnel add ''tunnel0'' mode ipip remote 192.0.2.69 local 192.0.2.34 |
| |
|
35 |
ip link set ''tunnel0'' up |
| |
|
36 |
ip addr add 192.168.1.1/24 dev ''tunnel0'' |
| |
|
37 |
</pre> |
| |
|
38 |
|
| |
|
39 |
!Router B |
| |
|
40 |
<pre> |
| |
|
41 |
ip tunnel add ''tunnel0'' mode ipip remote 192.0.2.34 local 192.0.2.69 |
| |
|
42 |
ip link set ''tunnel0'' up |
| |
|
43 |
ip addr add 192.168.1.254/24 dev ''tunnel0'' |
| |
|
44 |
</pre> |
| |
|
45 |
|
| |
|
46 |
Skip to 'testing the tunnel'. |
| |
|
47 |
|
| |
|
48 |
!! Debian sample setup |
| |
|
49 |
|
| |
|
50 |
!Router A |
| |
|
51 |
|
| |
|
52 |
Edit /etc/network/interfaces: |
| |
|
53 |
<pre> |
| |
|
54 |
auto ''tunnel0'' |
| |
|
55 |
iface ''tunnel0'' inet static |
| |
|
56 |
address 192.168.1.1 |
| |
|
57 |
netmask 255.255.255.0 |
| |
|
58 |
network 192.168.1.0 |
| |
|
59 |
broadcast 192.168.1.255 |
| |
|
60 |
pre-up /sbin/ip tunnel add ''tunnel0'' mode ipip remote 192.0.2.69 local 192.0.2.34 |
| |
|
61 |
post-down /sbin/ip tunnel del ''tunnel0'' |
| |
|
62 |
</pre> |
| |
|
63 |
|
| |
|
64 |
Then execute |
| |
|
65 |
ifup ''tunnel0''. |
| |
|
66 |
|
| |
|
67 |
! Router B |
| |
|
68 |
Edit /etc/network/interfaces: |
| |
|
69 |
<pre> |
| |
|
70 |
auto ''tunnel0'' |
| |
|
71 |
iface ''tunnel0'' inet static |
| |
|
72 |
address 192.168.1.254 |
| |
|
73 |
netmask 255.255.255.0 |
| |
|
74 |
network 192.168.1.0 |
| |
|
75 |
broadcast 192.168.1.255 |
| |
|
76 |
pre-up /sbin/ip tunnel add ''tunnel0'' mode ipip remote 192.0.2.34 local 192.0.2.69 |
| |
|
77 |
post-down /sbin/ip tunnel del ''tunnel0'' |
| |
|
78 |
</pre> |
| |
|
79 |
|
| |
|
80 |
Then execute |
| |
|
81 |
ifup ''tunnel0'' |
| |
|
82 |
|
| |
|
83 |
!!Testing your tunnel |
| |
|
84 |
|
| |
|
85 |
After you have configured your tunnel via one of the examples above you should be able to ping the remote end: |
| |
|
86 |
|
| |
|
87 |
!Router A |
| |
|
88 |
ping 192.168.1.254 |
| |
|
89 |
|
| |
|
90 |
!Router B |
| |
|
91 |
ping 192.168.1.1 |
| |
|
92 |
|
| |
|
93 |
Both pings should succeed without problems. |
| |
|
94 |
|
| |
|
95 |
!!Using your tunnel |
| |
|
96 |
|
| 2 |
AristotlePagaltzis |
97 |
* You can now use your tunnel - just pretend it's a piece of [Ethernet] between the two computers. |
| 1 |
CraigBox |
98 |
* Remember the [MTU] on the tunnel will be lower than normal because of the extra IP header. |
| |
|
99 |
* You can setup routing and whatever you like over the tunnel. |
| |
|
100 |
* If you lose your route to the tunnel endpoint, the tunnel will not work either. |
| |
|
101 |
|
| |
|
102 |
------ |
| |
|
103 |
|
| |
|
104 |
!!!More complex situations |
| |
|
105 |
|
| |
|
106 |
When tunneling between 2 routers, and 1 router has a private network on another interface, routing between the two can be confusing. Here is the network layout: |
| |
|
107 |
|
| |
|
108 |
Router 1: |
| |
|
109 |
<verbatim> |
| |
|
110 |
eth0: 1.2.3.4 (public) |
| |
|
111 |
</verbatim> |
| |
|
112 |
|
| |
|
113 |
Router 2: |
| |
|
114 |
<verbatim> |
| |
|
115 |
eth0: 4.3.2.1 (public) |
| |
|
116 |
eth1: 10.0.0.1 |
| |
|
117 |
</verbatim> |
| |
|
118 |
|
| |
|
119 |
In my particular case, Router 1 is an asterisk system on a public network, and Router 2 is a [NAT] router that is also a gateway for my private 10.0.0.0/24 network. I have multiple [SIP] phones (which don't work through [NAT]) on the 10.0.0.0/24 network and I need to establish routes between the 2. |
| |
|
120 |
|
| |
|
121 |
IN THIS ORDER ENTER THESE COMMANDS |
| |
|
122 |
|
| |
|
123 |
Router 1: |
| |
|
124 |
<verbatim> |
| |
|
125 |
iptunnel add iptun mode ipip remote 4.3.2.1 |
| |
|
126 |
ifconfig iptun 10.0.1.1 |
| |
|
127 |
route add -net 10.0.2.0/24 dev iptun |
| |
|
128 |
</verbatim> |
| |
|
129 |
|
| |
|
130 |
Router 2: |
| |
|
131 |
<verbatim> |
| |
|
132 |
iptunnel add iptun mode ipip remote 1.2.3.4 |
| |
|
133 |
ifconfig iptun 10.0.2.1 |
| |
|
134 |
route add -net 10.0.1.0/24 dev iptun |
| |
|
135 |
</verbatim> |
| |
|
136 |
|
| |
|
137 |
Router 1: |
| |
|
138 |
<verbatim> |
| |
|
139 |
route add -net 10.0.0.0/24 dev iptun |
| |
|
140 |
route add -net 10.0.0.0/24 gw 10.0.0.1 |
| |
|
141 |
</verbatim> |
| |
|
142 |
|
| |
|
143 |
Now from Router 2 you can ping any device on the 10.0.0.0/24 network behind Router 1, and from any device on the 10.0.0.0/24 network, you can ping Router 1 using the address 10.0.1.1 |
| |
|
144 |
|
| |
|
145 |
If anyone has a better way of doing this, using [IPIP] or [GRE], or knows how to use MobileIP in this situation, please email me: zip@andrewhodel.com. I know I can accomplish this using [IPSec] or something of the like, however that is not my goal. |
| |
|
146 |
|
| |
|
147 |
---- |
| |
|
148 |
See the [IPSec] page for another tunneling option. |
| |
|
149 |
|
| |
|
150 |
CategoryNotes |
