Remember, there’s no handshake in GRE so the order that you bring up the tunnel endpoints is irrelevant. Now let’s create the other side of the tunnel on a second Ubuntu VM: sudo ip tunnel add tun0 mode gre remote 10.131.73.9 local 10.131.73.16 dev eth0 sudo ip addr add 172.17.0.2/24 dev tun0 sudo ip link set tun0 up If we’d added a key, that MTU would be further reduced by 4 bytes. This makes sense because we’re adding the encapsulating IPv4 header (20 bytes) and a GRE header with none of the optional header fields (4 bytes). It’s 24 bytes less than the physical interface eth0 MTU, 8976 bytes. Note the MTU size of the tun0 interface: 8952 bytes. Here’s what was created (omitting the uninteresting interfaces and IPv6 addresses): ip addr show 2: eth0: mtu 8976 qdisc fq_codel state UP group default qlen 1000 link/ether fa:16:3e:6e:fb:b4 brd ff:ff:ff:ff:ff:ff inet 10.131.73.9/24 brd 10.131.73.255 scope global dynamic eth0 valid_lft 81126sec preferred_lft 81126sec 8: mtu 8952 qdisc noqueue state UNKNOWN group default qlen 1000 link/gre 10.131.73.9 peer 10.131.73.16 inet 172.17.0.1/24 scope global tun0 valid_lft forever preferred_lft forever Now let’s create the tunnel device (with no key), assign an IP address to the tunnel interface, and bring the interface up: sudo ip tunnel add tun0 mode gre remote 10.131.73.16 local 10.131.73.9 dev eth0 sudo ip addr add 172.17.0.1/24 dev tun0 sudo ip link set tun0 up We’ll start by checking the iproute2 help hints to see the syntax: ip tunnel help Usage: ip tunnel We’ll be using an Ubuntu Bionic virtual machine and the iproute2 package, which is included in most Linux distributions. Let’s go ahead and make a gretun device tun0. If you don’t have a specific need to use keys then turn them off and save yourself that extra 4 bytes of overhead in every packet. The key exchange mechanism is not defined by the GRE protocol, so keys are generally configured manually on each end of the tunnel. Its purpose is to distinguish between individual traffic flows on a tunnel, which can then be treated differently, e.g. The actual purpose of the key field is somewhat similar to a port number. The key provides no security because it would be trivial to snoop the traffic and see what keys are being used on the tunnel. Judging by the name, one might think that this is some kind of encryption key but that is not the case. In the case of gretap, the EtherType value is 0圆558.įinally, we have the optional Key field. In the case of gretun, the EtherType value is 0x0800 for IPv4 or 0x86DD for IPv6. The most interesting header field is the Protocol Type, which indicates the EtherType of the encapsulated packet.
In practice, the Checksum and Sequence Number fields are rarely used. The C, K, and S bits respectively indicate whether the Checksum, Key, or Sequence Number fields are present. The Checksum, Key, and Sequence Number header fields are all optional. The GRE header adds between 4 to 16 bytes of overhead, depending on which fields are used. GRE does not encrypt the payload so layer 3 encryption, such as IPsec, is highly recommended but beyond the scope of this article. When we include the ethernet header too, it’s gretap.
When we encapsulate a payload and its IP header, it’s called gretun. Encapsulate a packet with just its IP header or the entire frame. Send it and forget it.Īnother great thing about GRE is that it doesn’t dictate what can be encapsulated. It’s a connectionless protocol, like UDP. Simply encapsulate any packet and send to one or more destinations, whether the destination is expecting the packet or not. Part of the attraction is that there is no handshake required to setup a GRE tunnel. The GRE protocol is getting close to 20 years old but continues to be a valuable addition to the network engineer’s tool belt.
Gre tunnel how to#
In this article, I give an overview of the GRE protocol structure, show you how to build GRE tunnels in Linux, and explain why GRE doesn’t use ports. The first question firewall engineers ask me when we’re debugging a GRE tunnel: What port number does it use? Like ICMP, GRE has no concept of ports - well, not exactly. Generic Routing Encapsulation is an extremely basic tunneling protocol, but its simplicity can also cause confusion.
0 kommentar(er)
