Tue Sep 12 15:42:54 EDT 2017
Say we have network A at 10.0.1.0/24, and attached router A. Say we also have network B at 10.0.2.0/24, and attached router B. Between them, we have (inter)network C. Router A has an interface on network C with the address 172.16.17.18. Router B has an interface on network C with the address 172.19.20.21.
We want to connect networks A and B with a GRE tunnel.
Load the GRE kernel module on routers A and B:
# modprobe ip_gre
On router A:
# ip tunnel add netb mode gre remote 172.19.20.21 local 172.16.17.18 ttl 255
# ip link set netb up
# ip addr add 10.99.2.1/30 dev netb
# ip route add 10.0.2.0/24 dev netb
On router B:
# ip tunnel add neta mode gre remote 172.16.17.18 local 172.19.20.21 ttl 255
# ip link set neta up
# ip addr add 10.99.2.2/30 dev neta
# ip route add 10.0.1.0/24 dev neta
If we want to run GRE inside IPsec, simply use the IP addresses of the VPN endpoints as the remote and local addresses for the tunnel.
If router A had an IPsec connection from its 10.0.1.1 address to router B’s 10.0.2.1 VPN address, the GRE tunnel setup on router A would be:
# ip tunnel add netb mode gre remote 10.0.2.1 local 10.0.1.1 ttl 255
Note that for GRE (and IPsec) MTU may be a concern. A safe, conservative value is 1400:
# sudo ip link set tun0 mtu 1400
If we’re not encapsulating GRE in IPsec, remember to allow GRE on the firewall(s). Using PF:
pass in on egress proto gre from <friendly_ip_addrs> keep state