IP in IP tunneling

All about firmwares for routers. Support for RouterTech firmwares is here too.
Post Reply
pcourtney
Novice
Novice
Posts: 26
Joined: Mon Jan 18, 2010 4:41 pm

IP in IP tunneling

Post by pcourtney » Thu Jan 21, 2010 1:20 am

This kind of tunneling has been available in Linux for a long time.
It only requires 2 kernel modules ipip.o and new_tunnel.o

would it be a good thing for RT perhaps ???


Preamble :
Let's say you have 3 networks: Internal networks A and B, and intermediate network C (the Internet)

So we have network A:
+-----------------------------------------------+
|network 10.0.1.0 |
|netmask 255.255.255.0 |
|router 10.0.1.1 |
+-----------------------------------------------+

The router has address 172.16.17.18 on network C

and network B:
+-------------------------------------------------+
|network 10.0.2.0 |
|netmask 255.255.255.0 |
|router 10.0.2.1 |
+--------------------------------------------------+

The router has address 172.19.20.21 on network C

As far as network C is concerned, we assume that it will pass any packet sent
from A to B and vice versa. If using ADSL routers at each end then the public
Internet would do for this.

Here's what you do:

First, make sure the modules are installed:
+-------------------------------------------------+
|insmod ipip.o |
|insmod new_tunnel.o |
+--------------------------------- ----------------+

Then, on the router of network A, you do the following:
+------------------------------------------------------------+
|ifconfig tunl0 10.0.1.1 pointopoint 172.19.20.21 |
|route add -net 10.0.2.0 netmask 255.255.255.0 dev tunl0 |
+------------------------------------------------------------+

And on the router of network B:
+---------------------------------------------------------+
|ifconfig tunl0 10.0.2.1 pointopoint 172.16.17.18 |
|route add -net 10.0.1.0 netmask 255.255.255.0 dev tunl0 |
+----------------------------------------------------------+

And if you're finished with your tunnel:
+----------------------------------------------------------+
|ifconfig tunl0 down |
+----------------------------------------------------------+

You can't forward broadcast or IPv6 traffic through an IP-in-IP tunnel, though. You just connect
two IPv4 networks that normally wouldn't be able to talk to each other, that's all. As far as compatibility
goes, this code has been around a long time, so it's compatible all the way back to 1.3 kernels. Linux IP-in-IP tunneling doesn't work with other Operating Systems or routers, but would work great with two RT routers at each end !

NB this would be better for RT than using the large OpenVPN program for most people :-)
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: IP in IP tunneling

Post by thechief » Thu Jan 21, 2010 10:17 am

http://lartc.org/howto/lartc.tunnel.ip-ip.html

This is interesting - but if I understand correctly, it is fairly restricted, in that it requires both ends to be running the same thing. How would you use this, for example, to connect your home computer to your work computer? I don't know much about networking, but wouldn't a conventional VPN solution be more straightforward? OpenVPN is too big - but what about pptp?

See also: http://lartc.org/howto/lartc.tunnel.gre.html
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
pcourtney
Novice
Novice
Posts: 26
Joined: Mon Jan 18, 2010 4:41 pm

Re: IP in IP tunneling

Post by pcourtney » Thu Jan 21, 2010 2:41 pm

there are some ISP's who provide an IP in IP capable router/adsl modem to their clients, or Cisco 877 routers which can do GRE

imagine lots of homeworkers (where the ADSL is provided by head office) or a remote office, where they only have ADSL ( because leased lines are too expensive), any company data is re-directed straight to HQ by the ISP over a leased line ( or private 10/100mb circuit) but all other traffic ( BBC iPlayer, YouTube, Facebook, you name it ) is routed via IP transit to a Tier 1 provider by the ISP

this means that the leased line connection from HQ to the ISP is only handling company data, and not everything a user normally gets up to, which is normally the case if you don't have IPinIP or GRE routers
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: IP in IP tunneling

Post by thechief » Thu Jan 21, 2010 2:56 pm

This seems to be a very specialised use to me, and not one that will appeal to the average user. However, since the required module is fairly small, we can consider building it into the wireless firmwares. The question is whether ipip is better than GRE and whether both are better than pptp.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
pcourtney
Novice
Novice
Posts: 26
Joined: Mon Jan 18, 2010 4:41 pm

Re: IP in IP tunneling

Post by pcourtney » Thu Jan 21, 2010 4:15 pm

an alternative to using NAT is IP-in-IP tunneling or encapsulation, it is the best way to provide all the computers on your local network with a static, globally routeable IP address while using only a single dynamically allocated address from the broadband provider or ISP, there are many countries around the world where this is becoming the norm !

GRE - you can run into a lot of support queries when using GRE, the Cisco GRE keepalives problem is well documented, as is the disrespect Cisco show to RFC 791, in relation to GRE tunnels (the default tunnel mode)
it looks like cisco routers send IP datagrams violating RFC 791 over GRE tunnels. In particular, the length field of the IP header is computed incorrectly to *not* include the size of the IP header.

we have about 200 Cisco 877's in the field running GRE/IPSEC, and it is painful trying to support them, and the cost of the Cisco kit is so overpriced these days, it would be better just to have a simple IP in IP tunneling solution that works really well with no support issues. What's even more interesting is that many IT admins that have Cisco kit are now enabling both IP in IP and GRE in the network, in fact they are being advised to do it these days,

PPTP - this was developed by Microsoft, 3COM and Ascend back in Win95 days, it was a bit of a bodge back then, the wiki explains the history, and why we should be cautious
http://en.wikipedia.org/wiki/Point-to-p ... g_protocol
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: IP in IP tunneling

Post by thechief » Thu Jan 21, 2010 4:29 pm

Well, you're the expert ;) - but what I gather from this is:
1. ipip = good
2. GRE = bad
3. pptp = bad

All (or none) of them can easily be enabled in the RT firmware. GRE and ipip can be built into the kernel, or as kernel modules. If I follow your line of thinking, all that is needed is to build ipip.o as a kernel module (but I also read somewhere that you need a user land program "iptunnel"). Right?
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
pcourtney
Novice
Novice
Posts: 26
Joined: Mon Jan 18, 2010 4:41 pm

Re: IP in IP tunneling

Post by pcourtney » Fri Jan 22, 2010 5:29 pm

>but I also read somewhere that you need a userland program "iptunnel"

no, only VPN's like OpenVPN, Cisco and PPTP need client installs and or programs in the start up folder

this is nice http://www.linuxjournal.com/article/7949

an IpinIP router once enabled and configured for IPinIP use, just dishes out DHCP addresses to clients in much the same way as it would normally, no user config or exe files required, it's all very simple and transparent, that's why I think it would be a nice to have for RT

but if not, we will still advise clients to use NeoRouter and the free NeoRouter Domain service
http://www.instantfundas.com/2009/12/ne ... ccess.html
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: IP in IP tunneling

Post by thechief » Fri Jan 22, 2010 6:23 pm

pcourtney wrote:>but I also read somewhere that you need a userland program "iptunnel"

no, only VPN's like OpenVPN, Cisco and PPTP need client installs and or programs in the start up folder
Ok. Care to comment on these?
http://www.seattlewireless.net/IpTunnel
http://unifix.org/cgi-bin/index.pl?action=show&ID=1

Edit - and this: http://www.mail-archive.com/linux-india ... 24631.html

Are they mistaken, or outdated?
pcourtney wrote:an IpinIP router once enabled and configured for IPinIP use, just dishes out DHCP addresses to clients in much the same way as it would normally, no user config or exe files required, it's all very simple and transparent, that's why I think it would be a nice to have for RT
The module is very small (less than 18kb uncompressed, and about a third of that compressed), so it is not a big deal. The question is whether it will work.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
pcourtney
Novice
Novice
Posts: 26
Joined: Mon Jan 18, 2010 4:41 pm

Re: IP in IP tunneling

Post by pcourtney » Sun Jan 31, 2010 9:42 pm

even easier then with 2.4

For kernel 2.4.x.. There is no need for new_tunnel.o.

It comes along with ipip.o

The steps to configure IPIP tunnel is
enable the bit in ip_forward.c
insmod ipip.o
iptunnel add TUNNELNAME mode ipip remote REMOTEIP local LOCALIP
ifconfig TUNNELNAME IFACEIP
route add -net REMOTENET/MASK dev TUNNELNAME
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: IP in IP tunneling

Post by thechief » Mon Feb 01, 2010 8:50 am

pcourtney wrote:enable the bit in ip_forward.c
What does this mean?
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
pcourtney
Novice
Novice
Posts: 26
Joined: Mon Jan 18, 2010 4:41 pm

Re: IP in IP tunneling

Post by pcourtney » Mon Feb 01, 2010 9:29 pm

that's just to enable it ON or OFF

#set ip_forward=1 ( eg on = 1, off = 0 )

by default most Linux distros have it disabled
http://linuxpoison.blogspot.com/2008/01 ... rding.html
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Re: IP in IP tunneling

Post by thechief » Mon Feb 01, 2010 9:42 pm

If that is what you're referring to (I don't see how ip_forward.c comes into it), it should always be enabled in a router. And it is enabled in RT firmwares (look in /etc/init.d/rcS).

The kernel module will be built into future firmwares, as will iptunnel. Whether it all works or not remains to be seen.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
Post Reply