GRE tunnels and their route forwarding under Linux

The tunnel, literally, is a passageway, which is made up of point-to, stand-alone and other. The tunnels under Linux are not well understood, write down the recently built GRE tunnels and route forwarding functions.

Let's talk about the basic concepts of tunnels:

The interconnection of two or more subnets of a technology (protocol) or strategy through another technology (protocol) or policy, called overlay topology, is one of the timeless themes of telecommunications technology.
Telecommunications technology in the development, a variety of network technology coexist, a technology of the network island may need to cross another technology network interconnection, this situation if it occurs in high-level protocol PDU packaged in low-layer protocol PDU is often called multiplexing, particularly three-layer PDU through the two layer network technology called leased link or virtual circuit , and if a traversal occurs in a PDU packaged in a protocol PDU, or in a PDU that is encapsulated in a high-level protocol, it is commonly referred to as a tunnel.
Tunnels provide a way for a PDU of a particular network technology to pass through a network that does not have the technology forwarding capability, such as multicast packets passing through a network that does not support multicast, and sometimes because of the management policy, the subnet of one manager (policy) cannot be connected to the network of another manager (policy). Instead of connecting through a network of another manager (policy), the so-called VPN (Virtual Private Networks), whether it's a L2 VPN or a L3 VPN, it needs to be implemented using tunneling technology. So the tunnel can be summed up in some sense as a technique that crosses different networks, which can be either technical or managerial.

Tunnels can be implemented as a virtual interface. The tunnel interface does not specify a specific "passenger" or "Transport" protocol connection, but rather a structure that can implement any standard point-to-point encapsulated service. Because the tunnel is a point-to-point connection, a separate tunnel must be configured for each connection.

GRE (Generic Routing protocol Encapsulation) works on layer three, which is the IP layer. The way it works is simple, so look at the packet structure to understand the approximate.

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M02/7F/6B/wKiom1cd3CLxITn5AAATL9Y43ak809.png "title=" V6jjav.png "alt=" Wkiom1cd3clxitn5aaatl9y43ak809.png "/>

After receiving a packet of the GRE tunnel (not necessarily the IP packet), add the packet to the GRE header, and then communicate with the external network.

Site Environment:

Two Linux machines are used as GRE tunnel routers, where the 172-beginning intranet is interconnected, and the 10 and 20-beginning extranet cannot be

A machine: eth1:10.10.1.1

bond0:172.19.1.1

Machine B: eth1:20.10.1.1

bond0:172.19.1.2

After the tunnel is done, the 10.10.1.1 network segment is connected with the 20.10.1.1 network.

1, in two Linux open route forwarding, for the wait for the routing function to prepare:

vim/etc/sysctl.conf Modify Net.ipv4.ip_forward=0 Modify to 1sysctl-p

2, establish the tunnel (a machine):

Modprobe Ip_greip Tunnel Add my_tunnel mode GRE remote 172.19.1.2 local 172.19.1.1 # My_tunnel change to the name of the tunnel you want to build, and add the intranet to the machine after local Ip. Remote is the IP of the peer intranet, these two must first confirm that can be interoperable. IP link Set my_tunnel upip addr Add 192.168.8.1 peer 192.168.8.11 Dev My_tunnel#my_tunnel need to be modified (the following tlx_dd are modified), set the IP 19 of the native tunnel 2.168.8.1, the IP of the peer is 192.168.8.11. Route add-net 20.10.1.0 netmask 255.255.255.0 dev my_tunnel gw 192.168.8.1# set Go to 20.10.1.0 network segment default route go through the tunnel

Note: Two machines here to complete the tunnel, on both sides of the tunnel IP is to be able to ping, not through the first to confirm the remote IP

And local IP can ping each other.

STEP3: Configuring network Forwarding (a machine)

/sbin/iptables-t nat-a postrouting-o eth1-s 192.168.8.11-j masquerade# will convert the 192.168.8.11 source address Nat that came over to eth1 address/sbin/  Iptables-a forward-s 192.168.8.11-o eth1-j accept# turn on forwarding for source address 192.168.8.11 export eth1/sbin/iptables-t -O my_tunnel-s 10.10.1.0/24-j masquerade# The address of the source address 10.10.1.0 segment of the packet is Nat My_tunnel 192.168.8.1/sbin/iptables-a 10.10.1.0/24-o my_tunnel-j accept# Turn on the forwarding site 10.10.1.0 network segment forward and then on the 10.10.1.0 network segment of the machine to the 20 network segment of the machine route to a line of a will be the route add-net 20.10.1.0 netmask 255.255.255.0 GW 10.10.1.1

Do the same in the B machine. The entire tunnel route was built successfully.

But honestly, is this need to be a direct NAT forwarding on the line, need to be equipped with tunnels so troublesome?

Troubleshooting the GRE tunnel:

1. GRE encapsulates a packet into another packet, so you may experience a GRE datagram that is larger than the maximum size of the packet set by the network interface. The workaround for this problem is to configure IP TCP ADJUST-MSS 1436 on the tunnel interface. In addition, although GRE does not support encryption, you can set a key at both ends of the tunnel via the Tunnel key command. This key is actually a plaintext password. Or use GRE over IPSec, which is more complicated than that.

2. The GRE tunnel has no state control, and one end of the tunnel may be closed while the other end is still open. The solution to this problem is to open keepalive packets at both ends of the tunnel. It allows the end of the tunnel to periodically send keepalive data to the other end, confirming that the port remains open. If one end of the tunnel does not receive keepalive data on time, the tunnel port on this side will also be closed.

Reference: http://blog.sina.com.cn/s/blog_4fad46a801015wto.html

Http://www.server110.com/linux/201310/2242.html

Http://www.server110.com/linux/201309/1417.html

Http://blog.163.com/[email protected]/blog/static/33166229200981954962/

This article is from the "Danielqu" blog, make sure to keep this source http://qujunorz.blog.51cto.com/6378776/1767933

GRE tunnels and their route forwarding under Linux