Generic Router Encapsulation (GRE) Tunnel

The word generic has significant consequences; the relevant and ancillary RFCs are RFC 2784, RFC 1701, RFC 1702, RFC 2890, and RFC 3147. According to the RFC 2784, generic specifies "a protocol for encapsulation of an arbitrary network layer protocol over another arbitrary network layer protocol." In a general case, the actual payload packet is first encapsulated in a GRE packet, which can be encapsulated further in an arbitrary forwarding network layer protocol for regular delivery. Cisco IOS architecture provides a tunnel identification key that provides some weak security against malicious packet injection. GRE uses protocol number 47. Configure your filters/firewalls accordingly. Table 11-2 lists an overview of the special tunnel-related interfaces on BSD platforms. As you will see, this works differently on Linux (tunl0/TUNNEL, gre0/GRE).

Table 11-2. Open- and FreeBSD Special Interfaces
Interface	OpenBSD	FreeBSD	Description
tun	X	X	Tunnel network interface (also used by gre-tun)
enc	X		IPSec encapsulating interface
gre	X		GRE/Mobile-IP encapsulation interface
gif	X	X	Generic IPv4/IPv6 tunnel interface
faith	X	X	IPv6 and IPv4 translation
stf		X	6to4 over IPv4 encapsulation

Lab 11-3: GRE Tunnel OpenBSD-to-Cisco

Example 11-5 demonstrates the GRE tunnel setup without special features. Remember, tunnel mode gre ip is the default setting of Cisco IOS architecture.

Example 11-5. GRE Tunnel OpenBSD-to-Cisco IOS Architecture


[root@europa:~#] ifconfig gre0 tunnel 192.168.14.3 192.168.14.254 up

[root@europa:~#] ifconfig gre0 10.2.2.1 10.2.2.2 netmask 255.255.255.252 up

[root@europa:~#] route add ?host 10.0.0.1 10.2.2.2



scar# show running-config

...

interface Tunnel0

 ip address 10.2.2.2 255.255.255.252

 tunnel source Ethernet1

 tunnel destination 192.168.14.3

!

ip route 10.0.0.2 255.255.255.255 Tunnel0

...

Lab 11-4: GRE Tunnel Linux-to-FreeBSD (Featuring gre-tun)

This lab uses the gre-tun package from http://mike.spottydogs.org/projects/gre-tun/ to show an alternative GRE setup for FreeBSD. Example 11-6 presents the Linux tunnel endpoint, and Example 11-7 shows the gre-tun configuration at the FreeBSD endpoint. The highlighted text in Example 11-6 emphasizes the default Linux MTU setting for GRE tunnels.

Example 11-6. Linux GRE Configuration


[root@callisto:~#] insmod ip_gre

[root@callisto:~#] iptunnel add GRE mode gre remote 192.168.2.7 local 192.168.1.1 ttl 255

[root@callisto:~#] ifconfig GRE 10.1.1.1 netmask 255.255.255.252 pointopoint 10.1.1.2

[root@callisto:~#] route add ?net 192.168.7.0/24 gw 192.168.1.254 dev GRE



[root@callisto:~#] ifconfig -a

GRE       Link encap:UNSPEC  HWaddr C0-A8-01-01-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.1.1.1  P-t-P:10.1.1.2  Mask:255.255.255.252

          UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)



gre0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          NOARP  MTU:1476  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Example 11-7. FreeBSD gre-tun Configuration


[root@castor:~#] gre-tun ?tunnel /dev/tun0 ?local 192.168.2.7 ?remote 192.168.1.1

?source 10.1.1.2 ?destination 10.1.1.1 ?netmask 255.255.255.252

[root@castor:~#] route add -net 192.168.14.0/24 10.1.1.1

Lab 11-5: Linux-to-Cisco GRE Tunnel

Finally, look at a Linux-to-Cisco combination (Example 11-8). Linux GRE defaults to inherit the carrier GRE packet TTL from the payload packet. Cisco IOS architecture is picky about it, and hence the ttl 255 parameter added (highlighted text).

Example 11-8. Linux-to-Cisco GRE Tunnel Setup


[root@callisto:~#] insmod ip_gre

[root@callisto:~#] iptunnel add GRE mode gre remote 192.168.2.254 local 192.168.14.1 ttl 255

[root@callisto:~#] ifconfig GRE 10.2.2.1 netmask 255.255.255.252 pointopoint 10.2.2.2

[root@callisto:~#] route add ?host 10.0.0.1 dev GRE



[root@callisto:~#] ifconfig -a

GRE       Link encap:UNSPEC  HWaddr C0-A8-0E-01-00-00-00-00-00-00-00-00-00-00-00-00

          inet addr:10.2.2.1  P-t-P:10.2.2.2  Mask:255.255.255.252

          UP POINTOPOINT RUNNING NOARP  MTU:1476  Metric:1

          RX packets:49 errors:0 dropped:0 overruns:0 frame:0

          TX packets:106 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:4836 (4.7 Kb)  TX bytes:16229 (15.8 Kb)



eth0      Link encap:Ethernet  HWaddr 00:10:5A:D7:93:60

          inet addr:192.168.14.1  Bcast:192.168.14.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:2639 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2614 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:100

          RX bytes:257278 (251.2 Kb)  TX bytes:185819 (181.4 Kb)

          Interrupt:5 Base address:0xd800



eth1      Link encap:Ethernet  HWaddr 52:54:05:E3:51:87

          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          RX packets:10419 errors:0 dropped:0 overruns:0 frame:0

          TX packets:6349 errors:0 dropped:0 overruns:0 carrier:0

          collisions:137 txqueuelen:100

          RX bytes:2674761 (2.5 Mb)  TX bytes:612601 (598.2 Kb)

          Interrupt:9 Base address:0xd400



eth1:1    Link encap:Ethernet  HWaddr 52:54:05:E3:51:87

          inet addr:192.168.45.253  Bcast:192.168.45.255  Mask:255.255.255.0

          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

          Interrupt:9 Base address:0xd400



gre0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00

          NOARP  MTU:1476  Metric:1

          RX packets:0 errors:0 dropped:0 overruns:0 frame:0

          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)



lo        Link encap:Local Loopback

          inet addr:127.0.0.1  Mask:255.0.0.0

          UP LOOPBACK RUNNING  MTU:16436  Metric:1

          RX packets:72 errors:0 dropped:0 overruns:0 frame:0

          TX packets:72 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:0

          RX bytes:5416 (5.2 Kb)  TX bytes:5416 (5.2 Kb)



[root@callisto:~#] iptunnel show

gre0: gre/ip  remote any  local any  ttl inherit  nopmtudisc

GRE: gre/ip  remote 192.168.14.254  local 192.168.14.1  ttl 255



[root@callisto:~#] netstat -i

Kernel Interface table

Iface   MTU Met   RX-OK RX-ERR RX-DRP RX-OVR   TX-OK TX-ERR TX-DRP TX-OVR Flg

GRE    1476   0      56      0      0      0     113      0      0      0 OPRU

eth0   1500   0    2717      0      0      0    2652      0      0      0 BMRU

eth1   1500   0   10856      0      0      0    6767      0      0      0 BMRU

eth1:  1500   0     - no statistics available -                           BMRU

lo    16436   0      72      0      0      0      72      0      0      0 LRU



[root@callisto:~#] ip -s tunnel

gre0: gre/ip  remote any  local any  ttl 255

RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts

    0          0            0      0        0        0

TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs

    0          0            0      0        0        0

GRE: gre/ip  remote 192.168.14.254  local 192.168.14.1  ttl 255

RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts

    56         5424         0      0        0        0

TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs

    115        17511        0      0        0        0



[root@callisto:~#] netstat -rne

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        0 GRE

10.2.2.0        0.0.0.0         255.255.255.252 U     0      0        0 GRE

192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1

192.168.14.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

192.168.45.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         192.168.1.254   0.0.0.0         UG    0      0        0 eth1



scar# show running-config

...

interface Tunnel0

 ip address 10.2.2.2 255.255.255.252

 tunnel source Ethernet1

 tunnel destination 192.168.14.1

!

ip route 192.168.45.0 255.255.255.0 Tunnel0

...

scar# show interfaces tunnel 0

Tunnel0 is up, line protocol is up

  Hardware is Tunnel

  Internet address is 10.2.2.2/30

  MTU 1514 bytes, BW 9 Kbit, DLY 500000 usec,

     reliability 255/255, txload 1/255, rxload 1/255

  Encapsulation TUNNEL, loopback not set

  Keepalive not set

  Tunnel source 192.168.14.254 (Ethernet1), destination 192.168.14.1

  Tunnel protocol/transport GRE/IP, key disabled, sequencing disabled

  Checksumming of packets disabled,  fast tunneling enabled

  Last input 00:01:35, output 00:37:36, output hang never

  Last clearing of "show interface" counters never

  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 3

  Queueing strategy: fifo

  Output queue :0/0 (size/max)

  5 minute input rate 0 bits/sec, 0 packets/sec

  5 minute output rate 0 bits/sec, 0 packets/sec

     101 packets input, 13185 bytes, 0 no buffer

     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles

     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

     47 packets output, 7204 bytes, 0 underruns

     0 output errors, 0 collisions, 0 interface resets

     0 output buffer failures, 0 output buffers swapped out

scar# show ip route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP

       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area

       * - candidate default, U - per-user static route, o - ODR

       P - periodic downloaded static route



Gateway of last resort is 192.168.14.1 to network 0.0.0.0



C    192.168.14.0/24 is directly connected, Ethernet1

S    192.168.45.0/24 is directly connected, Tunnel0

     10.0.0.0/8 is variably subnetted, 4 subnets, 3 masks

S       10.0.0.2/32 is directly connected, Tunnel0

C       10.2.2.0/30 is directly connected, Tunnel0

C       10.0.1.0/24 is directly connected, TokenRing0

C       10.0.0.1/32 is directly connected, Loopback0

S*   0.0.0.0/0 [1/0] via 192.168.14.1



scar# debug tunnel

Tunnel Interface debugging is on



scar# terminal monitor

scar# ping 192.168.45.253



Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.45.253, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms

scar#

01:09:52: Tunnel0: GRE/IP encapsulated 192.168.14.254->192.168.14.1 (linktype=7, len=124)

01:09:52: Tunnel0: GRE/IP encapsulated 192.168.14.254->192.168.14.1 (linktype=7, len=124)

01:09:52: Tunnel0: GRE/IP encapsulated 192.168.14.254->192.168.14.1 (linktype=7, len=124)

01:09:52: Tunnel0: GRE/IP encapsulated 192.168.14.254->192.168.14.1 (linktype=7, len=124)

01:09:52: Tunnel0: GRE/IP encapsulated 192.168.14.254->192.168.14.1 (linktype=7, len=124)

Exercise 11-1: GRE Advanced Features

I suggest that you experiment with advanced GRE parameters such as sequencing and keys. Be aware, however, that this might introduce incompatibilities between the implementations.