GRE and IPIP Tunnels
Tom
Eastep
2005-09-03
2001
2002
2003
2004
2005
Thomas M. Eastep
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
GNU Free Documentation
License
.
GRE and IPIP Tunnels are insecure when used over the internet; use
them at your own risk
GRE and IPIP tunneling with Shorewall can be used to bridge two
masqueraded networks.
The simple scripts described in the Linux Advanced Routing and Shaping
HOWTO work fine with Shorewall. Shorewall also includes
a tunnel script for automating tunnel configuration. If you have installed
the RPM, the tunnel script may be found in the Shorewall documentation
directory (usually /usr/share/doc/shorewall-<version>/).
Bridging two Masqueraded Networks
Suppose that we have the following situation:
We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file, the
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
included with Shorewall.
The tunnel
script is not installed in /etc/shorewall
by default -- If you install using the tarball, the script is included in
the tarball; if you install using the RPM, the file is in your Shorewall
documentation directory (normally
/usr/share/doc/shorewall-<version>).
In the /etc/shorewall/tunnel script, set the
tunnel_type
parameter to the type of tunnel that you want
to create.
/etc/shorewall/tunnel
tunnel_type=gre
If you use the PPTP connection tracking modules from Netfilter
Patch-O-Matic (ip_conntrack_proto_gre ip_conntrack_pptp,
ip_nat_proto_gre and ip_nat_pptp) then you cannot use GRE
tunnels.
On each firewall, you will need to declare a zone to represent the
remote subnet. We'll assume that this zone is called vpn
and declare it in /etc/shorewall/zones on both systems as follows.
#ZONE TYPE OPTIONS
vpn plain
On system A, the 10.0.0.0/8 will comprise the vpn zone. In /etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS
vpn tosysb 10.255.255.255
In /etc/shorewall/tunnels on system A, we need the following:
#TYPE ZONE GATEWAY GATEWAY ZONE
ipip net 134.28.54.2
This entry in /etc/shorewall/tunnels, opens the firewall so that the
IP encapsulation protocol (4) will be accepted to/from the remote
gateway.
In the tunnel script on system A:
tunnel script on system A
tunnel=tosysb
myrealip=206.161.148.9 (for GRE tunnel only)
myip=192.168.1.1
hisip=10.0.0.1
gateway=134.28.54.2
subnet=10.0.0.0/8
Similarly, On system B the 192.168.1.0/24 subnet will comprise the
vpn zone. In
/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST
vpn tosysa 192.168.1.255
In /etc/shorewall/tunnels on system B, we have:
#TYPE ZONE GATEWAY GATEWAY ZONE
ipip net 206.191.148.9
And in the tunnel script on system B:
tunnel script on system B
tunnel=tosysa
myrealip=134.28.54.2 (for GRE tunnel only)
myip=10.0.0.1
hisip=192.168.1.1
gateway=206.191.148.9
subnet=192.168.1.0/24
You can rename the modified tunnel scripts if you like; be sure that
they are secured so that root can execute them.
You will need to allow traffic between the vpn
zone
and the loc
zone on both systems -- if you simply want to
admit all traffic in both directions, you can use the policy file:
#SOURCE DEST POLICY LOG LEVEL
loc vpn ACCEPT
vpn loc ACCEPT
On both systems, restart Shorewall and run the modified tunnel
script with the start
argument on each system. The systems
in the two masqueraded subnetworks can now talk to each other