Wednesday 6 July 2016

Setting up a GRE tunnel between two CentOS 7 instances

GRE provides a way of encapsulating traffic between two endpoints (not encrypting it.)

It provides a way of ensuring that data is not tampered with - although in order to encrypt the traffic it would need to go over an IPSec tunnel.

One of the major advantages of GRE over other tunneling protocols like IPSec is that it supports multicast traffic (for example routing protocols such as OSPF and EIGRP.) while IPSec only support unicast traffic.

In this tutorial I will be setting up a point-to-point like between two linux instances running CentOS 7.

We should firstly ensure that the relevant gre modules are loaded with:

lsmod | grep gre

and if in the event they are not we should issue:

sudo modprobe ip_gre

(although unless you are running a custom kernel it's unlikely that you will have this missing.)

PUPPETTEST #1

sudo ip tunnel add tun0 mode gre remote 10.0.2.152 local 10.0.2.154 ttl 255
sudo ip link set tun0 up
sudo ip addr add 10.10.10.1/24 dev tun0

PUPPETTEST #2

sudo ip tunnel add tun0 mode gre remote 10.0.2.154 local 10.0.2.152 ttl 255
sudo ip link set tun0 up
sudo ip addr add 10.10.10.2/24 dev tun0

We should also ensure that our IPTables chains are setup correctly - typically you will want to add something like the following before the default-deny statement in the filter table:

sudo iptables -A INPUT -p gre -j ACCEPT

or to lock it down even further:

sudo iptables -A INPUT -i eth0 -s <remote-endpoint> -j ACCEPT

and then attempt to ping each other e.g. from 10.10.10.1:

ping 10.10.10.2

** Note: tcpdump is your friend here - e.g.:

tcpdump -i eth0 proto gre
or
tcpdump -i eth0 icmp

Now we should add the interface configuration permanently on HOST #1:

vi /etc/sysconfig/network-scripts/ifcfg-tun0

DEVICE=tun0
BOOTPROTO=none
ONBOOT=no
TYPE=GRE
PEER_INNER_IPADDR=10.10.10.2 # This is the tunnel IP address (e.g. p2p link) of the remote peer.
MY_INNER_IPADDR=10.10.10.1 This is the tunnel IP address (e.g. p2p link) of the current peer.
PEER_OUTER_IPADDR=10.0.2.152 # This is the outer (e.g. eth0 network) interface ip address that the actual tunnel is going over.

and then bring the interface up:

ip link set tun0 up.

and then on HOST #2:

vi /etc/sysconfig/network-scripts/ifcfg-tun0

DEVICE=tun0
BOOTPROTO=none
ONBOOT=no
TYPE=GRE
PEER_INNER_IPADDR=10.10.10.1
MY_INNER_IPADDR=10.10.10.2
PEER_OUTER_IPADDR=10.0.2.154

and then bring the interface up:

ip link set tun0 up.

to kill the tunnel and bring down the interface we can issue:

ip link set tun0 down
ip tunnel del tun0

0 comments:

Post a Comment