IP tunnels I have known and loved

Today we'll talk about the "classic" IP tunneling protocols.

GRE is often seen as a one size fits all solution when it comes to classic IP tunneling protocols, and for a good reason. However, there are more specialized options, and many of them are supported by VyOS. There are also rather obscure GRE options that can be useful.

All those protocols are grouped under "interfaces tunnel" in VyOS. Let's take a closer look at the protocols and options currently supported by VyOS.

MTU considerations

One issues that often comes up in tunneled setups is that of the MTU and MSS. Generally, the kernel is capable of setting the correct MTU on its own, and as long as end to end ICMP works, there should be no MSS issues either, but if you are in doubt, or simply curious what the total overhead of a tunnel will be, I made a tool for quickly calculating MTU and MSS for any combination of encapsulating and encapsulated protocols. Your contributions and corrections to it are always welcome.

If you want to do MSS clamping, here's an example:

set policy route MSS-CLAMP rule 10 protocol 'tcp'
set policy route MSS-CLAMP rule 10 set tcp-mss '1400'
set policy route MSS-CLAMP rule 10 tcp flags 'SYN'

set interfaces ethernet eth1 policy route MSS-CLAMP
Alternatively, you can insert a global rule like "iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu" and make it persistent across reboot by placing it in /config/scripts/vyatta-postconfig-bootup.script

IPIP

This is the simplest tunneling protocol in existence. It is defined by RFC2003. It simply takes an IPv4 packet and uses sends it as a payload of another IPv4 packet. For this reason it doesn't really have any configuration options by itself.

An example:

set interfaces tunnel tun0 encapsulation ipip

set interfaces tunnel tun0 local-ip 192.0.2.10
set interfaces tunnel tun0 remote-ip 203.0.113.20
set interfaces tunnel tun0 address 192.168.100.200

If tunneling IPv4 traffic in IPv4 is really all you want, then it's a pretty good and a very lightweight choice.

IP6IP6

This is the IPv6 counterpart of IPIP. I'm not aware of an RFC that defines this encapsulation specifically, but it's a natural specific case of IPv6 encapsulation mechanisms described in RFC2473.

It's not likely that anyone will need it any soon, but it does exist.

An example:

set interfaces tunnel tun0 encapsulation ipip

set interfaces tunnel tun0 local-ip 2001:db8:aa::1/64
set interfaces tunnel tun0 remote-ip 2001:db8:aa::2/64
set interfaces tunnel tun0 address 2001:db8:bb::1/64

IPIP6

I'm pretty sure in a few decades this is going to be a very useful protocol (though there are other proposals).

As the name implies, it's IPv4 encapsulated in IPv6, as simple as that.

An example:

set interfaces tunnel tun0 encapsulation ipip6

set interfaces tunnel tun0 local-ip 2001:db8:aa::1/64
set interfaces tunnel tun0 remote-ip 2001:db8:aa::2/64
set interfaces tunnel tun0 address 192.168.70.80

SIT (6in4)

I believe SIT stands for "Simple Internet Transition". This protocol is defined by RFC4213, but curiously that RFC or any of its predecessor do not refer to it as SIT, so I have no idea where that nickname actually comes from (if you know its origin, tell me).

It encapsulates IPv6 packets in IPv4, as the name suggests. Unlike two previous protocols, it's very useful right now, as it's used by a number of IPv6 tunnel brokers such as that of Hurricane Electric.

An example:
set interfaces tunnel tun0 encapsulation sit

set interfaces tunnel tun0 local-ip 192.0.2.10
set interfaces tunnel tun0 remote-ip 192.0.2.20
set interfaces tunnel tun0 address 2001:db8:bb::1/64

GRE

GRE stands for Generic Routing Encapsulation, and it lives up to its name as it can encapsulate many other protocols at more than one OSI layer. It is defined by RFC2784.

Due to kernel driver layout reasons, in VyOS it comes in two flavours: "gre" and "gre-bridge". The difference is that while "gre" is layer 3 only, "gre-bridge" is layer 2 and can encapsulate ethernet frames, thus it can be bridged with other interfaces to create datalink layer segments that span multiple remote sites. GRE is also unique in that it can encapsulate more than one protocol at the same time, so it's the only way to create dual stack IPv4 and IPv6 tunnels in a single interface.

Layer 3 GRE example:

set interfaces tunnel tun0 encapsulation gre

set interfaces tunnel tun0 local-ip 192.0.2.10
set interfaces tunnel tun0 remote-ip 192.0.2.20
set interfaces tunnel tun0 address 10.40.50.60/24
set interfaces tunnel tun0 address 2001:db8:bb::1/64

Layer 2 GRE example:

set interfaces bridge br0 

set interfaces tunnel tun0 encapsulation gre-bridge
set interfaces tunnel tun0 local-ip 192.0.2.10
set interfaces tunnel tun0 remote-ip 192.0.2.20
set interfaces tunnel tun0 parameters ip bridge-group bridge br0

set interfaces ethernet eth1 bridge-group br0

As you can see, the bridge-group option for tunnels is in a rather unusual place, different from all other interfaces. I can't remember why is that, and we may make that CLI more consistent in the future even though it will take quite some effort to make it backwards-compatible.

GRE is also the only classic protocol that allows creating multiple tunnels with the same source and destination due to its support for tunnel keys. Despite its name, this feature has nothing to do with security: it's simply an identifier that allows routers to tell one tunnel from another.

An example:

set interfaces tunnel tun0 local-ip 192.0.2.10
set interfaces tunnel tun0 remote-ip 192.0.2.20
set interfaces tunnel tun0 address 10.40.50.60/24
set interfaces tunnel tun0 parameters ip key 10

set interfaces tunnel tun0 local-ip 192.0.2.10
set interfaces tunnel tun0 remote-ip 192.0.2.20
set interfaces tunnel tun0 address 172.16.17.18/24
set interfaces tunnel tun0 parameters ip key 20

Conclusion

Classic IP tunneling protocols are often not very flexible, but a lot of time they do their job very well, and are easy to use in conjunction with IPsec. For a more modern and flexible option you may consider L2TPv3 or VXLAN — but that's a story for future posts.

17 responses
I had some trouble applying the ipip and gre tunnels with the guide above. Do they work on 1.1.8 and if so could you provide an example on how it would be done without an ipsec or openvpn tunnel ( doing it in a closed lab). Thanks for all the hard work you, the vyos dev team and frr devs hard work. Cant wait for 2.0 release and hopefully with vrf and mpls support.
They do work in 1.1.8. To make any suggestions I'd need to see the config snipper you are applying and the error you get. >hopefully with vrf and mpls support My obligatory question: what's your use case for MPLS in software? ;)
Sure thing i will send the snipnet in 3 hours time. I work at an ISP that does alot of Layer 3 with MPLS and i want to make a MPLS network such as: Internet to provide easy access across my sites (have 6 sites) LAN - Self explained with BGP to share routes Management for easy management via same route table for all sites. DMZ for servers ( physical and virtual) access to DMZ interface on my Internet breakouts. i would also experiment with VPLS for 3 of the sites to provide an easy L2 line to do whatever i want on :)
So i tried this config for a simple gre tunnel 192.168.100.1/30 - cloud1 - site a set interfaces tunnel tun1 set interfaces tunnel tun1 address 192.168.100.2/30 set interfaces tunnel tun1 description "Gre Tunnel to vals" set interfaces tunnel tun1 encapsulation ipip set interfaces tunnel tun1 local-ip 10.30.40.1 set interfaces tunnel tun1 remote-ip 10.30.40.2 192.168.100.2/30 - vals - site b set interfaces tunnel tun1 set interfaces tunnel tun1 address 192.168.100.1/30 set interfaces tunnel tun1 description "Gre Tunnel to cloud1" set interfaces tunnel tun1 encapsulation ipip set interfaces tunnel tun1 local-ip 10.30.40.2 set interfaces tunnel tun1 remote-ip 10.30.40.1 im not totally sure if it right but it wont seem to work despite being able to ping outside the gre tunnel.
i posted the ipip first my bad. the gre is here: site a 192.168.100.1/30 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-ip 10.30.40.1 set interfaces tunnel tun0 remote-ip 10.30.40.2 set interfaces tunnel tun0 address 192.168.100.2/30 site b 192.168.100.2/30 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 local-ip 10.30.40.2 set interfaces tunnel tun0 remote-ip 10.30.40.1 set interfaces tunnel tun0 address 192.168.100.1/30
The config looks good. Is 10.30.40.1 rechable from 10.30.40.2? You may also want to check your firewall.
I've turned this post into a VyOS wiki article: https://wiki.vyos.net/wiki/IP_tunneling
10 visitors upvoted this post.