# GRE Tunnels on Linux # Tue Sep 12 15:42:54 EDT 2017 Say we have network A at 10.0.1.0/24, and attached router A. Say we also have network B at 10.0.2.0/24, and attached router B. Between them, we have (inter)network C. Router A has an interface on network C with the address 172.16.17.18. Router B has an interface on network C with the address 172.19.20.21. We want to connect networks A and B with a GRE tunnel. Load the GRE kernel module on routers A and B: # modprobe ip_gre On router A: # ip tunnel add netb mode gre remote 172.19.20.21 local 172.16.17.18 ttl 255 # ip link set netb up # ip addr add 10.99.2.1/30 dev netb # ip route add 10.0.2.0/24 dev netb On router B: # ip tunnel add neta mode gre remote 172.16.17.18 local 172.19.20.21 ttl 255 # ip link set neta up # ip addr add 10.99.2.2/30 dev neta # ip route add 10.0.1.0/24 dev neta ## GRE with IPsec ## If we want to run GRE inside IPsec, simply use the IP addresses of the VPN endpoints as the remote and local addresses for the tunnel. If router A had an IPsec connection from its 10.0.1.1 address to router B's 10.0.2.1 VPN address, the GRE tunnel setup on router A would be: # ip tunnel add netb mode gre remote 10.0.2.1 local 10.0.1.1 ttl 255 ## MTU ## Note that for GRE (and IPsec) MTU may be a concern. A safe, conservative value is 1400: # sudo ip link set tun0 mtu 1400 - 24 bytes for GRE encapsulation - 56 bytes for IPsec (although it varies a little) - Don't forget, when using VoIP, that RTP adds a 12 byte header. ## Firewalls ## If we're not encapsulating GRE in IPsec, remember to allow GRE on the firewall(s). Using PF: pass in on egress proto gre from keep state ## Links ## - http://lartc.org/howto/lartc.tunnel.gre.html - http://www.tldp.org/HOWTO/Adv-Routing-HOWTO/lartc.tunnel.gre.html - https://wiki.linuxfoundation.org/networking/tunneling#gre-tunnels - https://supportforums.cisco.com/t5/network-infrastructure-documents/how-to-configure-a-gre-tunnel/ta-p/3131970 - https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN