1375days since
Project Due Date

Join Our Discussion

Linux‎ > ‎

How to establish IPIP tunnel on Linux

posted Jul 27, 2010, 11:44 AM by Sumin Xia   [ updated Sep 4, 2010, 9:35 AM ]

This kind of tunneling has been available in Linux for a long time. It requires 2 kernel modules, ipip.o and new_tunnel.o.

Install ipip.o:

$sudo apt-get install ipip

$modprobe ipip


From http://www.techonia.com/create-tunnel-interface-linux

To create a tunnel interface, you need to load/activate the ‘tun’ module first because it is unloaded/inactive by default. To activate it use ‘modprobe’ command as below:

modprobe tun

Check that it has been successfully loaded.

lsmod |grep tun
tun 12160 0

Now create or add a tunnel interface (tun0) to the system. The syntax command should be as follow:

ip tunnel add tun0 mode ipip remote <remote_ip_address> local <local_ip_address>

For example:

ip tunnel add tun0 mode ipip remote 202.182.ab.cd local 203.153.xxx.xx

Assign an IP address to the tun0 interface:

ifconfig tun0 202.182.ab.254 netmask 255.255.255.252 pointopoint 202.182.ab.253

Sometime you need to change the MTU of tun0 interface to 1500:

ifconfig tun0 mtu 1500 up

Bring the tun0 interface up:

ip link set tun0 up
That’s all. Now you can try to ping to the point to point ip address on the remote router. You should get replied from the remote router

From http://www.wlug.org.nz/IPIPNotes

IPIP is a method of creating a bare bones IP tunnel (no encryption, compression, or anything else) between two hosts, be they connected via InterNet or a LAN.

Example network

Let's say that we want to create an IP over IP link between two machines, Router A and Router B. These routers are both connected to the InterNet; you also need a network to use on the tunnel.

You need:

  • A kernel with support for IPIP built in, or built as a module.
  • The IP addresses of both tunnel endpoints.
  • IP address ranges that you want to tunnel.
  • You'll also need a name to give to the tunnel.

We will use the network '192.168.1.0/24' as the private network of the tunnel.

In the example below Router A and B have addreses in the same subnet - this is not a requirement; you can create a tunnel to a host on the other side of the internet if you want.

Router A:

  • has internet IP address 192.0.2.34
  • has private tunnel IP address 192.168.1.1

Router B:

  • has internet IP address 192.0.2.69
  • has private tunnel IP address 192.168.1.254

iproute sample setup

You can call your tunnel whatever you like: lets call ours tunnel0.

Router A

ip tunnel add tunnel0 mode ipip remote 192.0.2.69 local 192.0.2.34
ip link set tunnel0 up
ip addr add 192.168.1.1/24 dev tunnel0

Router B

ip tunnel add tunnel0 mode ipip remote 192.0.2.34 local 192.0.2.69
ip link set tunnel0 up
ip addr add 192.168.1.254/24 dev tunnel0

Skip to 'testing the tunnel'.

Debian sample setup

Router A

Edit /etc/network/interfaces:

auto tunnel0
iface tunnel0 inet static
address 192.168.1.1
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
pre-up /sbin/ip tunnel add tunnel0 mode ipip remote 192.0.2.69 local 192.0.2.34
post-down /sbin/ip tunnel del tunnel0

Then execute

ifup tunnel0.

Router B

Edit /etc/network/interfaces:

auto tunnel0
iface tunnel0 inet static
address 192.168.1.254
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
pre-up /sbin/ip tunnel add tunnel0 mode ipip remote 192.0.2.34 local 192.0.2.69
post-down /sbin/ip tunnel del tunnel0

Then execute

ifup tunnel0

Testing your tunnel

After you have configured your tunnel via one of the examples above you should be able to ping the remote end:

Router A

ping 192.168.1.254

Router B

ping 192.168.1.1

Both pings should succeed without problems.

Using your tunnel

  • You can now use your tunnel - just pretend it's a piece of Ethernet between the two computers.
  • Remember the MTU on the tunnel will be lower than normal because of the extra IP header.
  • You can setup routing and whatever you like over the tunnel.
  • If you lose your route to the tunnel endpoint, the tunnel will not work either.

More complex situations

When tunneling between 2 routers, and 1 router has a private network on another interface, routing between the two can be confusing. Here is the network layout:

Router 1
eth0: 1.2.3.4 (public)
Router 2
eth0: 4.3.2.1 (public)
eth1: 10.0.0.1

In my particular case, Router 1 is an asterisk system on a public network, and Router 2 is a NAT router that is also a gateway for my private 10.0.0.0/24 network. I have multiple SIP phones (which don't work through NAT) on the 10.0.0.0/24 network and I need to establish routes between the 2.

IN THIS ORDER ENTER THESE COMMANDS

Router 1
iptunnel add iptun mode ipip remote 4.3.2.1
ifconfig iptun 10.0.1.1
route add -net 10.0.2.0/24 dev iptun
Router 2
iptunnel add iptun mode ipip remote 1.2.3.4
ifconfig iptun 10.0.2.1
route add -net 10.0.1.0/24 dev iptun
Router 1
route add -net 10.0.0.0/24 dev iptun
route add -net 10.0.0.0/24 gw 10.0.0.1

Now from Router 2 you can ping any device on the 10.0.0.0/24 network behind Router 1, and from any device on the 10.0.0.0/24 network, you can ping Router 1 using the address 10.0.1.1

If anyone has a better way of doing this, using IPIP or GRE, or knows how to use MobileIP in this situation, please email me: zip@andrewhodel.com. I know I can accomplish this using IPSec or something of the like, however that is not my goal.


Comments