- Author :
- Email : [email protected]
- Date: 2020.01.23
- Copyright: Shall not be reproduced without permission!!
- Version: openswan – 2.6.51.5
- Reference:download.openswan.org/openswan/
directory
The foreword 0.
1. Tunnel types supported by the Linux kernel
2. The GRE tunnel connects to hosts with the same subnet address across (public) networks
2.1 Topology Environment:
2.1 UBANTU Configuration:
2.1.1 Adding a GRE Tunnel
2.1.2 Configuring the IP address of the GRE Tunnel Interface
2.1.3 Activating the GRE Tunnel Interface IP address
2.2 CentOS Configuration:
2.3 Ping Packets to Test Communication Links
3. The GRE tunnel connects to hosts with different subnet addresses across (public) networks
3.1 Topology Environment
3.2 Ubantu configuration
3.2.1 Setting an IP address for ens33 subinterfaces
3.2.2 Adding another GRE Tunnel Interface and Making it Up
3.2.3 Configuring the IP address of the tunnel interface
3.2.4 Adding the Peer terminal Routing table
CentOS 3.3 configuration
3.3.1 Setting the IP address of ens33 subinterface
3.3.2 Adding another GRE tunnel Interface and Making it Up
3.3.3 Configuring the IP address of the tunnel interface
3.3.4 Adding the Peer terminal Routing table
3.4 Ping Testing link connectivity
The foreword 0.
Ipsec **** is a point-to-point protocol that does not support multicast and cannot protect multicast and broadcast packets. Therefore, ipsec cannot be used in audio and video conferences. In this case, GRE Over ipsec is commonly used. The explanation is as follows: GRE encapsulates multicast and broadcast packets, but cannot encrypt service content. Ipsec encrypts packets, but cannot encapsulate multicast and broadcast packets. Therefore, the two protocols are combined to create GRE over IPSec. However, I have searched a lot of information (there is not much in fact) and I cannot find out why GRE supports encapsulating multicast and broadcast packets, but ipsec does not. They are point-to-point protocols. Why GRE works but IPsec does not? Because I did not find the answer, I could not verify my idea. Therefore, I set up a GRE tunnel environment and learned the OPERATION and configuration principles of THE GRE tunnel in the Linux kernel, hoping to get some inspiration.
Setting up a GRE tunnel environment is actually very simple, because the Linux kernel already supports GRE tunnels. Therefore, you can directly configure the GRE tunnel environment on virtual machines (Ubantu and CentOS).
1. Tunnel types supported by the Linux kernel
The Linux kernel supports multiple tunnel types, including IPIP tunnel, GRE tunnel,… . I haven’t seen the rest of them either. Besides these a few kinds of course, still have ipsec agreement, L2TP agreement, what can be I still had not used at present, it is reckless waste of food really, fault fault
The following describes how to set up two groups of topologies to learn the basic rules of GRE tunnels and analyze the possible causes for the different behaviors of GRE and IPSEC in the encapsulation of multicast and broadcast packets.
2. The GRE tunnel connects to hosts with the same subnet address across (public) networks
2.1 Topology Environment:
My home equipment is limited, only one computer, or through wireless network card to access the Internet, so the topology environment is relatively poor, in fact, these are not important, as long as you understand that my two virtual machines Ubantu and CentOS are connected by bridge, can communicate on the network.
Now, I’m going to connect two hosts at 10.1.2.1/24 and 10.1.2.2/24 (fake, just an IP address) to communicate through the GRE tunnel. In principle, the two IP addresses belong to different subnets (Ubantu subnet and CentOS subnet, but the two subnets have the same network segment) and cannot communicate with each other directly.
2.1 UBANTU Configuration:
First, I check whether there is any GRE interface in the virtual machine.
root@ubantu:/home/toney# ifconfig -a ens33: Flags = 4163 < UP, BROADCAST, RUNNING, MULTICAST > mtu 1500 inet 192.168.1.10 netmask 255.255.255.0 BROADCAST 192.168.1.255 inet6 2409:8a00:18e9:810:141:383c:ac6f:8b11 prefixlen 64 scopeid 0x0<global> inet6 2409:8a00:18e9:810:f8dd:500e:b1a:463b prefixlen 64 scopeid 0x0<global> inet6 fe80::8e84:574c:7a8b:440a prefixlen 64 scopeid 0x20<link> ether 00:0 C :29: FB :db: AD TXQueuelen 1000 (Ethernet) RX packets 3581 bytes 1030105 (1.0 MB) RX errors 0 dropped 0 Overruns 0 Frame 0 TX packets 1177 bytes 114532 (114.5KB) TX errors 0 Dropped 0 Overruns 0 carrier 0 collisions 0 LO: Flags =73<UP,LOOPBACK,RUNNING> MTU 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixLen 128 scopeid 0x10<host> loop Txqueuelen 1000 (Local Loopback) RX packets 160 bytes 12920 (12.9 KB) RX errors 0 Dropped 0 Overruns 0 frame 0 TX Packets 160 bytes 12920 (12.9 KB) TX errors 0 Dropped 0 Overruns 0 carrier 0 collisions 0Copy the code
2.1.1 Adding a GRE Tunnel
IP tunnel add tunnel-1 mode GRE remote 192.168.1.13 local 192.168.1.10
When adding a GRE Tunnel, you need to specify the Tunnel name, which is tunnel-1 in this example. Because a GRE tunnel is to be set up, the mode is GRE. The ADDRESS of the GRE tunnel is 192.168.1.13<========>192.168.1.10.
Since this command is executed for the first time, the underlying gre tunnel-related driver is actually installed. The user can configure GRE tunneling only on this basis, but don’t worry, the kernel does it automatically.
If you do not specify remote and local addresses when adding a tunnel, it is ok. It is actually just installing gre tunnel-related drivers. The following is the result of adding a tunnel without specifying the remote and local addresses:
root@ubantu:/home/toney# ip tunnel add Tunnel-1 cannot determine tunnel mode (ipip, gre, vti or sit) root@ubantu:/home/toney# ifconfig -a ens33: Flags = 4163 < UP, BROADCAST, RUNNING, MULTICAST > mtu 1500 inet 192.168.1.10 netmask 255.255.255.0 BROADCAST 192.168.1.255 inet6 2409:8a00:18e9:810:141:383c:ac6f:8b11 prefixlen 64 scopeid 0x0<global> inet6 2409:8a00:18e9:810:200d:99e2:4f3d:cb6f prefixlen 64 scopeid 0x0<global> inet6 fe80::8e84:574c:7a8b:440a prefixlen 64 Scopeid 0x20<link> ether 00:0 C :29:fb:db: AD txqueuelen 1000 (Ethernet) RX packets 5038 bytes 5896155 (5.8 MB) RX errors 0 Dropped 0 Overruns 0 Frame 0 TX packets 2744 bytes 309264 (309.2KB) TX errors 0 Overruns 0 Carrier 0 collisions 0 lo: Flags =73<UP,LOOPBACK,RUNNING> MTU 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixLen 128 scopeid 0x10<host> loop Txqueuelen 1000 (Local Loopback) RX packets 164 bytes 15044 (15.0 KB) RX errors 0 Dropped 0 Overruns 0 frame 0 TX Packets 164 bytes 15044 (15.0 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 root@ubantu:/home/toney# IP tunnel add Tunnel-1 mode gre add tunnel "gre0" failed: File exists root@ubantu:/home/toney# ifconfig -a ens33: Flags = 4163 < UP, BROADCAST, RUNNING, MULTICAST > mtu 1500 inet 192.168.1.10 netmask 255.255.255.0 BROADCAST 192.168.1.255 inet6 2409:8a00:18e9:810:141:383c:ac6f:8b11 prefixlen 64 scopeid 0x0<global> inet6 2409:8a00:18e9:810:200d:99e2:4f3d:cb6f prefixlen 64 scopeid 0x0<global> inet6 fe80::8e84:574c:7a8b:440a prefixlen 64 Scopeid 0x20<link> ether 00:0 C :29:fb:db: AD txqueuelen 1000 (Ethernet) RX packets 5097 bytes 5900501 (5.9 MB) RX errors 0 Dropped 0 Overruns 0 Frame 0 TX packets 2766 bytes 311496 (311.4 KB) TX errors 0 Overruns 0 Carrier 0 collisions 0 erspan0: Flags =4098<BROADCAST,MULTICAST> MTU 1450 ether 00:00:0:00:00:00 TXqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0b) RX errors 0 dropped 0 Overruns 0 Frame 0 TX packets 0 bytes 0 (0.0b) TX errors 0 dropped 0 overruns 0 Carrier 0 collisions 0 gre0: flags=128<NOARP> mtu 1452 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX packets 0 Bytes 0 (0.0b) RX errors 0 dropped 0 Overruns 0 Frame 0 TX packets 0 bytes 0 (0.0b) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 gretap0: Flags =4098<BROADCAST,MULTICAST> MTU 1462 ether 00:00:0:00:00:00 TXqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0b) RX errors 0 dropped 0 Overruns 0 Frame 0 TX packets 0 bytes 0 (0.0b) TX errors 0 dropped 0 overruns 0 Carrier 0 collisions 0 lo: Flags =73<UP,LOOPBACK,RUNNING> MTU 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixLen 128 scopeid 0x10<host> loop Txqueuelen 1000 (Local Loopback) RX packets 164 bytes 15044 (15.0 KB) RX errors 0 Dropped 0 Overruns 0 frame 0 TX Packets 164 bytes 15044 (15.0 KB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 root@ubantu:/home/toney# root@ubantu:/home/toney# lsmod | grep gre ip_gre 28672 0 ip_tunnel 24576 1 ip_gre gre 16384 1 ip_gre root@ubantu:/home/toney#Copy the code
If you enter the complete command, the tunnel-1 Tunnel is added successfully:
root@ubantu:/home/toney# ifconfig -a Tunnel-1: flags=144<POINTOPOINT,NOARP> mtu 1476 unspec C0-A8-01-0A-00-00-00-87-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX Packets 0 bytes 0 (0.0b) RX errors 0 dropped 0 Overruns 0 Frame 0 TX packets 0 bytes 0 (0.0b) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 ens33: Flags = 4163 < UP, BROADCAST, RUNNING, MULTICAST > mtu 1500 inet 192.168.1.10 netmask 255.255.255.0 BROADCAST 192.168.1.255 inet6 2409:8a00:18e9:810:141:383c:ac6f:8b11 prefixlen 64 scopeid 0x0<global> inet6 2409:8a00:18e9:810:200d:99e2:4f3d:cb6f prefixlen 64 scopeid 0x0<global> inet6 fe80::8e84:574c:7a8b:440a prefixlen 64 Scopeid 0x20<link> ether 00:0 C :29:fb:db: AD txqueuelen 1000 (Ethernet) RX packets 5745 bytes 5947674 (5.9MB) RX errors 0 Dropped 0 Overruns 0 Frame 0 TX packets 2965 bytes 329731 (329.7 KB) TX errors 0 Overruns 0 Carrier 0 collisions 0 erspan0: Flags =4098<BROADCAST,MULTICAST> MTU 1450 ether 00:00:0:00:00:00 TXqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0b) RX errors 0 dropped 0 Overruns 0 Frame 0 TX packets 0 bytes 0 (0.0b) TX errors 0 dropped 0 overruns 0 Carrier 0 collisions 0 gre0: flags=128<NOARP> mtu 1452 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX packets 0 Bytes 0 (0.0b) RX errors 0 dropped 0 Overruns 0 Frame 0 TX packets 0 bytes 0 (0.0b) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 gretap0: Flags =4098<BROADCAST,MULTICAST> MTU 1462 ether 00:00:0:00:00:00 TXqueuelen 1000 (Ethernet) RX packets 0 bytes 0 (0.0b) RX errors 0 dropped 0 Overruns 0 Frame 0 TX packets 0 bytes 0 (0.0b) TX errors 0 dropped 0 overruns 0 Carrier 0 collisions 0 lo: Flags =73<UP,LOOPBACK,RUNNING> MTU 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixLen 128 scopeid 0x10<host> loop Txqueuelen 1000 (Local Loopback) RX packets 169 bytes 15509 (15.5 KB) RX errors 0 Dropped 0 Overruns 0 frame 0 TX Packets 169 bytes 15509 (15.5 KB) TX errors 0 Dropped 0 Overruns 0 carrier 0 collisions 0Copy the code
2.1.2 Configuring the IP address of the GRE Tunnel Interface
IP addr add 10.1.2.1/24 dev tunnel-1
or
The ifconfig 10.1.2.1 Tunnel – 1/24
According to the result of adding a Tunnel, interface tunnel-1 is successfully added but in the Down state and has no IP address. No, wait, what are the remote and local we specified when adding the tunnel?
It is the IP address of the packet encapsulated through the GRE tunnel. However, the packet encapsulation is not configured.
The PURPOSE of configuring the IP address of the interface is as follows: Determine which packets need to enter the GRE interface and encapsulate them through a tunnel. Why do YOU need to add an IP? Because we import the packet to the tunnel-1 interface through the route, if I don’t fill in the IP address, what should I write next? Right?
2.1.3 Activating the GRE Tunnel Interface IP address
ifconfig Tunnel-1 up
or
ip link set Tunnel-1 up
Configure the IP address of the interface and whether the interface is in up state in no order. Treat them as different ETH interfaces.
2.2 CentOS Configuration:
The CentOS VM configuration is the same as that of Ubantu.
IP tunnel add tunnel-1 mode GRE local 192.168.1.13 remote 192.168.1.10 IP link set tunnel-1 up IP addr add 10.1.2.2/24 dev Tunnel-1
The configuration result r is as follows:
[root@toney toney]# [root@toney toney]# [root@toney toney]# ifconfig Tunnel-1 Link encap:UNSPEC HWaddr C0-a8-01-0d -FF-FF- 90-6d - 00-00-00-00-00-00-00-00-00 INET ADDR :10.1.2.2 P-t-P:10.1.2.2 Mask:255.255.255.0 UP POINTOPOINT RUNNING NOARP MTU:1476 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 Overruns :0 Carrier :0 collisions:0 TXQueuelen :0 RX bytes:0 (0.0b) TX bytes:0 (0.0b) eth0 Link encap:Ethernet HWaddr 00:0C:29:DA:34:3C inet addr:192.168.1.13 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: 2409:8a00:18e9:810:20c:29ff:feda:343c/64 Scope:Global inet6 addr: fe80::20c:29ff:feda:343c/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:3571 errors:0 dropped:0 overruns:0 frame:0 TX packets:781 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX Bytes :236685 (231.1 KiB) TX bytes:71021 (69.3 KiB) LO Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:4 errors:0 dropped:0 overruns:0 frame:0 TX Packets :4 Errors :0 dropped:0 Overruns :0 Carrier :0 collisions:0 TXQueuelen :0 RX bytes:240 (240.0b) TX bytes:240 (240.0) b)Copy the code
Routing table information is as follows:
2.3 Ping Packets to Test Communication Links
One thing to note here: The Iptables filtering function may be enabled on Linux. Therefore, information similar to ICMP host 192.168.1.13 unreachable-admin Prohibited, Length 116 is displayed during ping.
Perform the following operations on both VMS:
iptables -F
Then in the ping package test, the data can pass:
The basic GRE tunnel environment is set up successfully.
3. The GRE tunnel connects to hosts with different subnet addresses across (public) networks
3.1 Topology Environment
Purpose: Connect 20.1.2.1/24 and 20.1.3.2/24 to communicate through the GRE tunnel.
3.2 Ubantu configuration
3.2.1 Setting an IP address for ens33 subinterfaces
The ifconfig eth0:1 192.168.100.1/24
View the interface configuration as follows:
3.2.2 Adding another GRE Tunnel Interface and Making it Up
IP tunnel add tunnel-2 mode GRE local 192.168.100.1 remote 192.168.100.2
ifconfig Tunnel-2 up
3.2.3 Configuring the IP address of the tunnel interface
The ifconfig Tunnel – 2 20.1.2.1/24
3.2.4 Adding the Peer terminal Routing table
The local end does not have a route to terminal network 20.1.3.0/24. Therefore, you need to add a route to import packets on this network segment to interface Tunnel-2 so that packets can be encapsulated through the GRE Tunnel.
Route Add-net 20.1.3.0/24 gw 20.1.2.1
CentOS 3.3 configuration
3.3.1 Setting the IP address of ens33 subinterface
The ifconfig ens33:1 192.168.100.2/24
3.3.2 Adding another GRE tunnel Interface and Making it Up
IP tunnel add tunnel-2 mode GRE remote 192.168.100.1 local 192.168.100.2
ifconfig Tunnel-2 up
The results are as follows:
3.3.3 Configuring the IP address of the tunnel interface
The ifconfig Tunnel – 2 20.1.3.1/24
3.3.4 Adding the Peer terminal Routing table
The local end does not have a route to terminal network 20.1.2.0/24. Therefore, you need to add a route to import packets on this network segment to interface Tunnel-2 so that packets can be encapsulated through the GRE Tunnel.
Route Add-net 20.1.1.0/24 gw 20.1.3.1
3.4 Ping Testing link connectivity