Vyatta TunnelsRef R6.0 v03
Vyatta TunnelsRef R6.0 v03
Vyatta TunnelsRef R6.0 v03
Tunnels
REFERENCE GUIDE
GRE Tunnels
IP-in-IP Tunnels
Vyatta
Suite 200
1301 Shoreway Road
Belmont, CA 94002
vyatta.com
650 413 7200
1 888 VYATTA 1 (US and Canada)
Copyright COPYRIGHT
Copyright 20052010 Vyatta, Inc. All rights reserved.
Vyatta reserves the right to make changes to software, hardware, and documentation without notice. For the most recent version of documentation,
visit the Vyatta web site at vyatta.com.
PROPRIETARY NOTICES
Vyatta is a registered trademark of Vyatta, Inc.
VMware, VMware ESXi, and VMware Server are trademarks of VMware, Inc.
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii
Intended Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix
Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Advisory Paragraphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Typographic Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Vyatta Publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Supported Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Glossary of Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Use this list to help you locate examples youd like to try or look at.
Preface
This guide describes commands for configuring and monitoring Generic Routing
Encapsulation and IP-in-IP routable tunnel interfaces.
This preface provides information about using this guide. The following topics are
covered:
Intended Audience
Organization of This Guide
Document Conventions
Vyatta Publications
Intended Audience
ix
Intended Audience
This guide is intended for experienced system and network administrators. Depending on
the functionality to be used, readers should have specific knowledge in the following areas:
Networking and data communications
TCP/IP protocols
General router configuration
Routing protocols
Network administration
Network security
Chapter 3: Tunnel Commands This chapter lists the commands for configuring 13
GRE and IP-in-IP tunnels.
Glossary of Acronyms 34
Document Conventions
This guide contains advisory paragraphs and uses typographic conventions.
Advisory Paragraphs
This guide uses the following advisory paragraphs:
Warnings alert you to situations that may pose a threat to personal safety, as in the
following example:
WARNING Switch off power at the main breaker before attempting to connect the
remote cable to the service power at the utility box.
Cautions alert you to situations that might cause harm to your system or damage to
equipment, or that may affect service, as in the following example:
Notes provide information you might need to avoid problems or configuration errors:
NOTE You must create and configure network interfaces before enabling them for
routing protocols.
Typographic Conventions
This document uses the following typographic conventions:
Vyatta Publications
More information about the Vyatta system is available in the Vyatta technical library, and
on www.vyatta.com and www.vyatta.org.
Full product documentation is provided in the Vyatta technical library. To see what
documentation is available for your release, see the Guide to Vyatta Documentation. This
guide is posted with every release of Vyatta software and provides a great starting point for
finding the information you need.
This chapter gives a brief overview of tunneling support on the Vyatta system.
This chapter presents the following topics:
Supported Tunnel Types
Tunnel Interfaces and IPsec
Supported Standards
Chapter 1: Tunneling Overview Supported Tunnel Types
2
GRE Tunnels
The GRE protocol provides a simple, general-purpose mechanism for encapsulating
packets from a wide variety of network protocols to be forwarded over another protocol.
The original packet (the passenger packet) can be one of many arbitrary network
protocolsfor example a multicast packet, an IPv6 packet, or a non-IP LAN protocol such
as AppleTalk, Banyen VINES, or Novell IPX. The delivery protocol can be one of a
number of routable IP protocols.
The passenger packet is first encapsulated within a GRE packet, creating the GRE tunnel.
The GRE packet is then encapsulated itself within a delivery protocol such as OSPF or
IPsec and forwarded to the remote destination.
You might use GRE if you want to:
Connect networks running non-IP protocols, such as native LAN protocols, across the
public IP network. Non-IP protocols such as Novell IPX or Appletalk are not routable
across an IP network. A GRE tunnel allows you to create a virtual point-to-point link
between two such networks over the public WAN.
Route IPv6 packets across an IPv4 network, or connect any two similar networks
across an infrastructure that uses different IP addressing.
Encrypt multicast traffic. IPsec, which is a standard mechanism for providing security
on IP networks, cannot encrypt multicast packets. However, multicast packets can be
encapsulated within a GRE tunnel and then routed over a VPN connection, so that the
encapsulated packets are protected by the IPsec tunnel.
GRE tunnels are stateless, which means that the protocol does not automatically monitor
the state or availability of other endpoints. You can, however, direct the router to monitor
the far end of the tunnel by sending keep-alive messages. If the other end of the tunnel
becomes unavailable, its failure to respond to the messages will alert the router.
GRE provides no security other than a key that can be configured on each side of the tunnel.
This key is carried in each packet in clear text, which means that GRE is not secure. Where
security is required, GRE should be used in conjunction with IPsec.
GRE uses IP protocol number 47.
IP-in-IP Tunnels
The IP-in-IP encapsulation protocol is used to tunnel between networks that have different
capabilities or policies. For example, an IP-in-IP tunnel can be used to forward multicast
packets across a section of a network (such as an IPsec tunnel) that does not support
multicast routing. An IP-in-IP tunnel can also be used to influence the routing of the packet,
or to deliver a packet to a mobile device using Mobile IP.
In IP-in-IP encapsulation, a second IP header is inserted in front of the IP header of the
original packet (the passenger packet). The new IP header has as source and destination
addresses the addresses of the tunnel endpoints. The IP header of the payload packet
identifies the original sender and receiver. When the encapsulated packet exits the tunnel,
the outer IP header is stripped off, and the original IP packet is delivered to the final
destination.
IP-in-IP encapsulation is simple and robust. It is useful for connecting IPv4 networks that
otherwise would not be able to communicate; however, it has some limitations:
IP-in-IP encapsulation does not support broadcast traffic
IP-in-IP encapsulation does not support IPv6 traffic
For forwarding this kind of traffic, GRE may be more appropriate.
Like GRE, IP-in-IP has only the most basic security: a password-like key. This key is
carried in each packet in clear text, which means that IP-in-IP tunnels are not secure. For
secure communications, IP-in-IP tunnels should be used together with IPsec.
For secure routable tunnels, GRE, IP-in-IP, and SIT tunnel interfaces should be used in
conjunction with an IPsec connection, so that the IP tunnel can be protected by the IPsec
tunnel.
IPsec is explained in detail in the Vyatta VPN Reference Guide. Please see that guide for
more information.
Supported Standards
The Vyatta implementation of GRE complies with the following standards:
RFC 1702: Generic Routing Encapsulation over IPv4 Networks
RFC 2784: Generic Routing Encapsulation
The Vyatta implementation of IP-in-IP complies with the following standard:
RFC 1853: IP in IP Tunneling
The use of tunnel interfaces with IPsec is documented in the following standard, which
describes the use of IP-in-IP tunnels combined with IPsec transport mode encryption to
provide secure routable tunnels:
RFC 3884: Use of IPsec Transport Mode for Dynamic Routing
This chapter provides configuration examples for GRE and IP-in-IP tunnels.
This chapter presents the following topics:
Before You Begin
Configuring a Basic GRE Tunnel
Configuring a More Complex GRE Tunnel
Chapter 2: Tunnel Configuration Examples Before You Begin
6
GRE Tunnel
Configure WEST
The GRE tunnel in the example configuration extends from eth1 on WEST through the
wide-area network to eth0 on EAST. In this example, you create the tunnel interface and
the tunnel endpoint on WEST.
The tunnel interface tun0 on WEST is assigned the IP address 192.0.2.1 on network
192.0.2.0/26.
The source IP address of the tunnel endpoint (the local-ip) is the same as the address
associated with the interface in this example.
The IP address of the other end of the tunnel is 192.0.2.33 on EAST.
Example 2-1 creates the tunnel interface and the tunnel endpoint on WEST. To do this,
perform the following steps on WEST in configuration mode.
Step Command
Create the tunnel interface, and vyatta@WEST# set interfaces tunnel tun0 address
specify the IP address to be 192.0.2.1/26
associated with it. [edit]
Specify the source IP address for vyatta@WEST# set interfaces tunnel tun0 local-ip
the tunnel. 192.0.2.1
[edit]
Specify the IP address of the vyatta@WEST# set interfaces tunnel tun0 remote-ip
other end of the tunnel. 192.0.2.33
[edit]
Specify the encapsulation mode vyatta@WEST# set interfaces tunnel tun0 encapsulation
for the tunnel. gre
[edit]
Assign a brief description for the vyatta@WEST# set interfaces tunnel tun0 description GRE
tunnel interface. tunnel to EAST
[edit]
Configure EAST
In this example, you create the tunnel endpoint on EAST.
The tunnel interface tun0 on EAST is assigned the IP address 192.0.2.33 on network
192.0.2.32/26.
The source IP address of the tunnel endpoint (the local-ip) is the same as the address
associated with the interface in this example.
The IP address of the other end of the tunnel is 192.0.2.1 on WEST. By assumption,
this IP address was previously configured for interface eth0 on WEST.
Example 2-2 creates the tunnel endpoint on EAST. To do this, perform the following steps
on EAST in configuration mode.
Step Command
Create the tunnel interface, and vyatta@WEST# set interfaces tunnel tun0 address
specify the IP address to be 192.0.2.33/26
associated with it. [edit]
Specify the source IP address for vyatta@EAST# set interfaces tunnel tun0 local-ip
the tunnel. 192.0.2.33
[edit]
Specify the IP address of the vyatta@EAST# set interfaces tunnel tun0 remote-ip
other end of the tunnel. 192.0.2.1
[edit]
Specify the encapsulation mode vyatta@EAST# set interfaces tunnel tun0 encapsulation
for the tunnel. gre
[edit]
Assign a brief description for the vyatta@EAST# set interfaces tunnel tun0 description GRE
tunnel interface. tunnel to WEST
[edit]
Configure WEST
Example 2-3 specifies additional values for the tunnel endpoint on WEST created in
Example 2-1:
A key 101088 is provide as a password-like mechanism. These values must match on
each side.
The time-to-live for packets is set to 220, the ToS field is set to 55, and MTU for
packets is set to 1460.
Two firewall rules set are applied to the tunnel interface:
The rule set tun0-fw-in is applied to packets ingressing through the tunnel
interface.
The rule set tun0-fw-out is applied to packets egressing through the tunnel
interface.
(This example assumes that these firewall rule sets have already been defined. For
information on defining firewall rule sets, please see the Vyatta Firewall Reference
Guide.)
To configure the GRE tunnel endpoint, perform the following steps on WEST in
configuration mode.
Step Command
Provide the authentication key vyatta@WEST# set interfaces tunnel tun0 key 101088
[edit]
Set the time-to-live. vyatta@WEST# set interfaces tunnel tun0 ttl 220
[edit]
Set the Type of Service. vyatta@WEST# set interfaces tunnel tun0 tos 55
[edit]
Set the MTU. vyatta@WEST# set interfaces tunnel tun0 mtu 1460
[edit]
Apply the firewall rule set for vyatta@WEST# set interfaces tunnel tun0 firewall in name
incoming packets. tun0-fw-in
[edit]
Apply the firewall rule set for vyatta@WEST# set interfaces tunnel tun0 firewall out name
outgoing packets. tun0-fw-out
[edit]
Configure EAST
Example 2-4 specifies additional values for the tunnel endpoint on EAST created in
Example 2-2:
A key 101088 is provide as a password-like mechanism. This value matches the key
configured for WEST.
The time-to-live for packets is set to 220, the ToS field is set to 55, and MTU for
packets is set to 1460.
Step Command
Provide the authentication key vyatta@EAST# set interfaces tunnel tun0 key 101088
[edit]
Set the time-to-live. vyatta@EAST# set interfaces tunnel tun0 ttl 220
[edit]
Set the Type of Service. vyatta@EAST# set interfaces tunnel tun0 tos 55
[edit]
Set the MTU. vyatta@EAST# set interfaces tunnel tun0 mtu 1460
[edit]
Apply the firewall rule set for vyatta@EAST# set interfaces tunnel tun0 firewall in name
incoming packets. tun0-fw-in
[edit]
Apply the firewall rule set for vyatta@EAST# set interfaces tunnel tun0 firewall out name
outgoing packets. tun0-fw-out
[edit]
This chapter lists the commands for configuring GRE and IP-in-IP tunnels.
Chapter 3: Tunnel Commands
14
Configuration Commands
interfaces tunnel <tunx> address <ipv4net> Sets a primary or secondary IP address for a tunnel interface.
interfaces tunnel <tunx> description <descr> Specifies a description for a tunnel interface.
interfaces tunnel <tunx> disable Disables a tunnel interface without discarding configuration.
interfaces tunnel <tunx> encapsulation Sets the encapsulation for a tunnel interface.
interfaces tunnel <tunx> key <key> Defines an authentication key for a tunnel interface.
interfaces tunnel <tunx> local-ip <ipv4> Sets the IP address for the local endpoint of a tunnel.
interfaces tunnel <tunx> mtu <mtu> Sets the MTU size for a tunnel interface.
interfaces tunnel <tunx> remote-ip <ipv4> Sets the IP address for the remote endpoint of a tunnel.
interfaces tunnel <tunx> tos <tos> Specifies the value to be written into the ToS byte of the
tunnel packets IP header.
interfaces tunnel <tunx> ttl <ttl> Defines the time-to-live (TTL) value to be written into the
tunnel packets IP header.
Operational Commands
Commands for using other system features with tunnel interfaces can be found in the
following locations.
Firewall Commands for configuring firewall on tunnel interfaces are described in the Vyatta
Firewall Reference Guide.
OSPF Commands for configuring the Open Shortest Path First routing protocol on tunnel
interfaces are described in the Vyatta OSPF Reference Guide.
RIP Commands for configuring the Routing Information Protocol on tunnel interfaces are
described in the Vyatta RIP Reference Guide.
Syntax
Operational mode.
Parameters
tunx Optional. Clears information for the specified tunnel interface. The
range is tun0 to tun23.
Default
None.
Usage Guidelines
Syntax
Command Mode
Configuration mode.
Configuration Statement
interfaces {
tunnel tun0..tun23 {
}
}
Parameters
tunx Mandatory. Multi-node. An identifier for the tunnel interface you are
defining. The range is tun0 to tun23.
You can define multiple tunnel interfaces by creating multiple tunnel
configuration nodes.
Default
None.
Usage Guidelines
Syntax
Command Mode
Configuration mode.
Configuration Statement
interfaces {
tunnel tun0..tun23 {
address ipv4net
}
}
Parameters
tunx Mandatory. The name of the tunnel interface you are configuring. The
range is tun0 to tun23.
Default
None.
18
Usage Guidelines
Use this command to assign a primary or secondary IP address to a tunnel interface. At least
one address must be configured for the tunnel interface to function.
Use the set form of this command to create an IP address for a tunnel interface. Note that
you cannot use set to change an existing address; you must delete the address to be changed
and create a new one.
Use the delete form of this command to remove an IP network address for a tunnel
interface. At least one address must remain for the tunnel to function.
Use the show form of this command to view address configuration for a tunnel interface.
19
Syntax
Command Mode
Configuration mode.
Configuration Statement
interfaces {
tunnel tun0..tun23 {
description text
}
}
Parameters
tunx Mandatory. The name of the tunnel interface you are configuring. The
range is tun0 to tun23.
Default
None.
Usage Guidelines
Use this command to record a brief description for a tunnel interface. If the description
contains spaces, it must be enclosed in double quotes.
Use the set form of this command to record a brief description description for the tunnel
interface.
Use the delete form of this command to remove a description for the tunnel interface.
Use the show form of this command to view a description for the tunnel interface.
20
Syntax
Command Mode
Configuration mode.
Configuration Statement
interfaces {
tunnel tun0..tun23 {
disable
}
}
Parameters
tunx Mandatory. The name of the tunnel interface you are configuring. The
range is tun0 to tun23.
Default
Syntax
Command Mode
Configuration mode.
Configuration Statement
interfaces {
tunnel tun0..tun23 {
encapsulation [gre|ipip|sit]
}
}
}
Parameters
tunx Mandatory. The name of the tunnel interface you are configuring. The
range is tun0 to tun9.
Default
Syntax
Command Mode
Configuration mode.
Configuration Statement
interfaces {
tunnel tun0..tun23 {
key 0-999999
}
}
Parameters
tunx Mandatory. The name of the tunnel interface you are configuring. The
range is tun0 to tun23.
key A key for authenticating the local endpoint to the remote endpoint. The
key must match on both ends of the connection for the tunnel to be
established.
Default
Usage Guidelines
Use this command to provide a simple password-like numeric key for authenticating tunnel
endpoints to one another. For the tunnel to be established, keys must be identical at both
ends of the tunnel.
Use the set form of this command to specify a key for the tunnel interface.
Use the delete form of this command to remove the key for the tunnel interface.
Use the show form of this command to view the key for the tunnel interface.
25
Syntax
Command Mode
Configuration mode.
Configuration Statement
interfaces {
tunnel tun0..tun23 {
local-ip ipv4
}
}
Parameters
tunx Mandatory. The name of the tunnel interface you are configuring. The
range is tun0 to tun23.
ipv4 Mandatory. The IPv4 address to be used as the tunnel endpoint on the
local router. The IP address must already be configured for the interface.
Default
None.
Usage Guidelines
Use this command to specify the IP address to use as the local endpoint of the tunnel.
Use the set form of this command to set address of the local endpoint of the tunnel.
Use the delete form of this command to remove the local endpoint of the tunnel. Note that
the tunnel will not function without both endpoints configured.
Use the show form of this command to view local tunnel endpoint configuration.
26
Syntax
Command Mode
Configuration mode.
Configuration Statement
interfaces {
tunnel tun0..tun23 {
mtu mtu
}
}
Parameters
tunx Mandatory. The name of the tunnel interface you are configuring. The
range is tun0 to tun23.
mtu Optional. The MTU, in octets, for the tunnel interface. The range is 0 to
8042, where 0 means fragmentation is never performed. The default is
1476.
Default
Usage Guidelines
Use this command to set the maximum transfer unit (MTU) for encapsulated packets
traversing the tunnel.
This MTU is applied to the packets embedded in the encapsulating protocol; it is not the
MTU of the carrier packets themselves. The MTU of carrier packets is dictated by the
MTU of the physical interface transmitting and receiving the tunnel packets.
Use the set form of this command to set the MTU value for encapsulated packets.
Use the delete form of this command to restore the default MTU value for encapsulated
packets.
Use the show form of this command to view the encapsulated packet MTU configuration.
28
Syntax
Command Mode
Configuration mode.
Configuration Statement
interfaces {
tunnel tun0..tun23 {
remote-ip ipv4
}
}
Parameters
tunx Mandatory. The name of the tunnel interface you are configuring. The
range is tun0 to tun23.
ipv4 Mandatory. The IPv4 address to be used as the tunnel endpoint on the
remote router. The IP address must already be configured for the
interface.
Default
None.
Usage Guidelines
Use this command to specify the IP address to use as the remote endpoint of the tunnel.
Use the set form of this command to set address of the remote endpoint of the tunnel.
Use the delete form of this command to remove the remote endpoint of the tunnel. Note
that the tunnel cannot be established without both endpoints configured.
Use the show form of this command to view remote tunnel endpoint configuration.
29
Syntax
Command Mode
Configuration mode.
Configuration Statement
interfaces {
tunnel tun0..tun23 {
tos tos
}
}
Parameters
tunx Mandatory. The name of the tunnel interface you are configuring. The
range is tun0 to tun23.
tos Optional. The value to be written into the ToS byte in tunnel packet IP
headers (the carrier packet). The range is 0 to 99, where 0 means tunnel
packets copy the ToS value from the packet being encapsulated (the
passenger packet). The default is 0.
Default
The ToS byte of the encapsulated packet is copied into the ToS byte of the tunnel packets
IP header.
30
Usage Guidelines
Use this command to specify the value to be written in the 8-bit Type of Service (ToS) byte
of the IP header for packets traversing a tunnel interface. The ToS byte of a packets IP
header specifies the forwarding behavior to be applied to the packet.
Use the set form of this command to specify the ToS value to write into a tunnel packets
IP header.
Use the delete form of this command to restore the default behavior for the ToS byte.
Use the show form of this command to view ToS byte configuration.
31
Syntax
Command Mode
Configuration mode.
Configuration Statement
interfaces {
tunnel tun0..tun23 {
ttl 0-255
}
}
Parameters
ttl Optional. The value to be written into the TTL field in tunnel
packet IP headers (the carrier packet). The range is 0 to 255,
where 0 means tunnel packets copy the TTL value from the
packet being encapsulated (the passenger packet). The default
is 0.
Default
The ToS byte of the encapsulated packet is copied into the ToS byte of the tunnel packets
IP header.
32
Usage Guidelines
Use this command to specify the value to be written in the TTL field of the IP header for
packets traversing a tunnel interface. The TTL field of a packets IP header used to limit the
lifetime of an IP packet and to prevent indefinite packet looping.
Use the set form of this command to specify the TTL value to write into a tunnel packets
IP header.
Use the delete form of this command to restore the default behavior for the TTL field.
Use the show form of this command to view TTL field configuration.
33
Syntax
Operational mode.
Parameters
tunx Optional. Displays information for the specified tunnel interface. The
range is tun0 to tun23.
Default
Example 3-1 shows operational status for the GRE tunnel interface tun0.
Glossary of Acronyms
AS autonomous system
CA certificate authority
DN distinguished name
I/O Input/Ouput
IP Internet Protocol
IPsec IP security
IPv4 IP Version 4
IPv6 IP Version 6
ND Neighbor Discovery
RA router advertisement
RS router solicitation
Rx receive
Tx transmit