Setting up IPIP, GRE and EoIP tunnels

In Keenetic routers it is possible to create IPIP (IP over IP), GRE (Generic Routing Encapsulation), EoIP (Ethernet over IP) tunnels both in pure form and in combination with IPSec tunnel, allowing to use IPSec VPN security standards to protect these tunnels.

The Sspport of IPIP, GRE, EoIP tunnels in Keenetic routers allows you to establish a VPN connection with hardware gateways, Linux routers, computers and servers with UNIX/Linux OS, as well as with other network and telecommunications equipment that support these tunnels.

It is necessary to install additional corresponding components of the KeeneticOS system to work with tunnels:

'EoIP tunneling' (Allows creating Ethernet over IP tunnels);
'GRE tunneling' (Allows creating GRE tunnels);
'IP-IP tunneling' (Allows creating IP-over-IP tunnels).

You can do this on the 'General system settings' page in the 'Updates and component options' section by clicking on 'Component options'.

ipip-comp-en.png

Brief description

IPIP and GRE tunnels are network layer tunnels (L3 of the OSI model), where IP addresses of both sides are available. They are presented in the system as GreX and IPIPX interfaces, and routing (including the default route) can be configured through them just like through any other interface. Also, these interfaces can be configured with a security level of access - private, protected, or public (information on access levels can be found in the article Configuring firewall rules with the command-line interface).

IPIP (IP over IP) is one of the easiest tunnels to set up (it encapsulates only unicast IPv4 traffic). You can configure it on a UNIX/Linux system as well as on different routers (e.g. Cisco).

GRE (Generic Routing Encapsulation) tunnel is one of the popular VPN types. GRE tunnels are compatible with hardware security gateways, Mikrotik routers, Linux routers and other similar equipment (e.g. Cisco, Juniper, etc.).

EoIP tunnel (Ethernet over IP) is a Datalink layer tunnel (L2 of the OSI model) over the network layer (L3). Data is transmitted through this tunnel at the Ethernet frame level. EoIP provides a transparent network environment that emulates a direct Ethernet connection between networks. All MAC addresses are visible, and it is possible to connect two L2 LANs over the Internet using this type of tunnel. EoIP uses GRE as its transport. The EoIP tunnel can work over IPIP, PPTP and any other connection capable of transmitting IP packets. Any traffic other than IP can be sent through it, including ARP, DHCP, PPPoE, IPv6 and others. By default, subnet scanning via ARP will work in the tunnel when security level changes to private/protected. In the system is presented as an EoIPX interface.
EoIP is developed by MikroTik, so there is compatibility with them as well as with Linux routers that know how to work with EoIP.

NOTE: Important! The IPIP, GRE, EoIP tunnels are of the point-to-point type. Both tunnel participants must have external IP addresses (or be on the same network), and there must be no NAT address translation between them. These are the prerequisites for establishing a tunnel.
In simple terms, there are no security mechanisms for these tunnels (no encryption or authentication mechanisms).
The IPIP, GRE and EoIP tunnels operate without saving the state of the connection, i.e. it is impossible to understand whether the tunnel is functional or not. We can only configure both sides and then check the data transfer.

You can use Ping Check function on IPIP, GRE and EoIP tunnel interfaces to check its availability.

The IPIP, GRE and EoIP tunnels work directly over the IPv4 protocol. IPIP uses IP protocol number 4, GRE and EoIP use IP protocol number 47.

Examples

NOTE: Important! At the moment, the configuration of IPIP, GRE and EoIP tunnels is implemented through the command-line interface (CLI) of the router. The full syntax of the commands listed in this article can be found in the Command Reference Guide in the Download Center.

The following examples show private IP addresses, which can only be used within the local network. There must be public IP addresses at both ends of the tunnels to create tunnels over the Internet.

Setting up a GRE/IPIP tunnel between two Keenetic routers.

Example 1.
One side of the tunnel setup:

(config)> interface IPIP0
(config-if)> tunnel destination router1.example.com
(config-if)> ip address 192.168.100.1 255.255.255.0
(config-if)> security-level private
(config-if)> up
(config-if)> exit
(config)> system configuration save


At the other end of the tunnel, 'mirror' settings are set:

(config)> interface IPIP0
(config-if)> tunnel destination 8.6.5.4
(config-if)> ip address 192.168.100.2 255.255.255.0
(config-if)> security-level private
(config-if)> up
(config-if)> exit
(config)> system configuration save


You can then try to ping the address of the remote side of the tunnel from any side to check if the tunnel is working correctly.

It should be noted that as a destination you can specify either the domain name (Cloud Mode in KeenDNS will not work!) or the IP address of the remote side (WAN interface of the device).

For GRE, the interface name is Gre0.

Example 2.
One side of the tunnel setup:

(config)> interface IPIP0
(config-if)> tunnel destination router1.example.com
(config-if)> ip address 192.168.100.1 255.255.255.0
(config-if)> up
(config-if)> exit
(config)> no isolate-private
(config)> ip route 10.10.2.0 255.255.255.0 IPIP0 /*static route to a remote private subnet 10.10.2.0/24 through the tunnel*/
(config)> system configuration save


At the other side of the tunnel:

(config)> interface IPIP0
(config-if)> tunnel destination 8.6.5.4
(config-if)> ip address 192.168.100.2 255.255.255.0
(config-if)> up
(config-if)> exit
(config)> no isolate-private
(config)> ip route 10.10.1.0 255.255.255.0 IPIP0 /*static route to a remote private subnet 10.10.1.0/24 through the tunnel*/
(config)> system configuration save


Setting up an EoIP tunnel between two Keenetic routers.

In the case of the EoIP tunnel, the settings will be absolutely the same, except for two things:
— you can set the interface MAC address;
— EoIP tunnel ID, tunnel identifier (number in the range from 1 to 65535) must be set, and it must match at both ends of the tunnel.

One end of the tunnel setup:

(config)> interface EoIP0
(config-if)> tunnel destination router1.example.com
(config-if)> tunnel eoip id 1500
(config-if)> ip address 192.168.100.1 255.255.255.0
(config-if)> security-level private
(config-if)> up
(config-if)> exit
(config)> system configuration save


The 'mirror' setting is at the other end of the tunnel.:

(config)> interface EoIP0
(config-if)> tunnel destination 8.6.5.4
(config-if)> tunnel eoip id 1500
(config-if)> ip address 192.168.100.2 255.255.255.0
(config-if)> security-level private
(config-if)> up
(config-if)> exit
(config)> system configuration save


You can then try to ping the address of the remote side of the tunnel from any side to check if the tunnel is working correctly.

The EoIPx interface can be included in the Bridge to join local networks. To do this, configure the EoIP interface without an IP address on both sides and then add it to the Bridge Home:

(config)> interface Home
(config-if)> include EoIP0
(config-if)> exit
(config)> system configuration save

 

NOTE: Important! For IPIP, GRE and EoIP tunnel interfaces, the MTU value is automatically calculated based on the interface through which the traffic will go, but it can be set manually through the command interface ip mtu.
When connecting local networks using the EoIP tunnel, we recommend that you use manually specified static IP addresses on hosts. If clients are configured to automatically obtain IP addresses from a DHCP server, problems may arise with IP address allocation after the tunnel is established because DHCP requests will go into the tunnel, i.e. the remote network.

Using IPIP, GRE and EoIP tunnels with IPSec

If a special system component IPSec VPN is installed, it is possible to protect these tunnels using IPSec safety standards, both in automatic and fully manual mode. We are not going to describe the manual mode, because experienced users can set up an IPSec tunnel with the correct mode and then raise the tunnel over IPSec. In case of automatic configuration, several manual mode problems are solved at once:
— MTU value is set correctly;
— the connection becomes connection-oriented, and you have to choose which end of the tunnel is the client and which end is the server;
— automatically resolves the problem of NAT pass-through, because it uses IPSec NAT Traversal (NAT-T), which turns all tunnel traffic into a UDP stream on port 500/4500;
— encryption and data integrity checks are used.

The IPSec VPN component appends the following settings to tunnels:
interface ipsec preshared-key <key> — PSK for encryption;
interface ipsec encryption-level <level> — encryption level. By default, it is set to cover as many devices as possible and is hardware accelerated. There's no need to change.

Since IPSec separates a client from a server, in order to configure the client (the initiator, the side that will try to establish the connection) you must use the command interface tunnel destination, and to enable the server mode (the party that will respond to connection attempts), you must use the command interface tunnel source.

Example of EoIP tunnel configuration with IPsec (in our example, the side with the WAN address 8.6.5.4 is the server):

Server:

(config)> interface EoIP0
(config-if)> tunnel source ISP
(config-if)> tunnel eoip id 1500
(config-if)> ipsec preshared-key mytestingkey
(config-if)> ip address 192.168.100.1 255.255.255.0
(config-if)> ipsec ikev2
(config-if)> security-level private
(config-if)> up
(config-if)> exit
(config)> system configuration save


Client:

(config)> interface EoIP0
(config-if)> tunnel destination 8.6.5.4
(config-if)> tunnel eoip id 1500
(config-if)> ipsec preshared-key mytestingkey
(config-if)> ip address 192.168.100.2 255.255.255.0
(config-if)> ipsec ikev2
(config-if)> security-level private
(config-if)> up
(config-if)> exit
(config)> system configuration save

 

NOTE: Important! It is necessary that the pre-shared IPSec PSK key matches at both ends of the tunnel.

In the interface tunnel source command, you can specify both the source interface and the IP address where the server will be waiting for the connection. However, preference is given to the interface, because in this case, all the reconfiguration when changing the address and other events will take place automatically.

TIP: Restrictions: Tunnels based on EoIP/IPSec and GRE/IPSec are not compatible with PPTP connections due to the use of the same GRE protocol. In this case, there is only one option available: IPIP/IPsec.

NOTE: Important! Pay attention to the isolate-private option.
It is not allowed to establish a connection between private interfaces by default, but access can be granted if necessary. If you need to allow connections between private interfaces (i.e. do not isolate access), run the command no isolate-private.
Use the command system configuration save to save the router settings.

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.