• gre tunnel


    http://searchenterprisewan.techtarget.com/tip/GRE-tunnel-vs-IPsec-tunnel-What-is-the-difference

    Encapsulating a packet for secure transportation on the network can be done using either GRE or IPsec protocols. This tip explains under what circumstances each protocol works best.

     

    used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.

     

    For example, in Mobile IP, a mobile node registers with a Home Agent. When the mobile node roams to a new network, it registers with a Foreign Agent there. Whenever IP packets addressed to the mobile node are received by the Home Agent, they can be relayed over a GRE tunnel to the Foreign Agent for delivery. It does not matter how the Home Agent and Foreign Agent communicate with each other -- hops in between just pass along the GRE packet. Only the GRE tunnel endpoints -- the two Agents -- actually route the encapsulated IP packet.

    The IP Security (IPsec) Encapsulating Security Payload (ESP), defined by RFC 2406, also encapsulates IP packets. However, it does so for a different reason: To secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.

    For example, in a site-to-site VPN, a source host in network "A" transmits an IP packet. When that packet reaches the edge of network "A" it hits a VPN gateway. VPN gateway "A" encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of network "B." VPN gateway "B" then decrypts the packet and delivers it to the destination host. Like GRE, it doesn't really matter how the two VPN gateways communicate with each other -- hops in between just pass along the ESP packet. But unlike GRE, someone at those hops could not possibly look at or change the encapsulated IP packet, even if they wanted to. That's because cryptographic algorithms have been applied to scramble the IP packet and detect any modification or replay.

    In summary, use GRE where IP tunneling without privacy is required -- it's simpler and thus faster. But, use IPsec ESP where IP tunneling and data privacy are required -- it provides security features that are not even attempted by GRE.

    http://www.heiqu.com/show-75082-1.html

    http://user.qzone.qq.com/879205487/blog/1306227884

    Linux Ip/gre tunnel互通隧道配置

    3小时前

      说明:通过ip/gre tunnel能够通过多个tunnel网关将公司内网和机房互通

      例如:

      一、公司:

      UPIP:221.224.0.1

      网关:192.168.1.1/24

      network 公司

      二、机房A:

      UPIP:221.224.1.1

      network 机房A

      网关:10.30.1.1/24

      三、机房B:

      UPIP:221.224.2.1

      网关:172.16.1.1/24

      1、公司网关配置:

      modprobe ipip

      modprobe ip_gre

      #tunnel for 机房A

      ip tunnel add 机房A mode gre remote 221.224.1.1 local 221.224.0.1 ttl 255

      ip link set 机房A up

      ip addr add 192.168.1.1 dev 机房A

      ip route add 10.30.1.0/24 dev 机房A

      #tunnel for 机房B

      ip tunnel add 机房B mode gre remote 221.224.2.1 local 221.224.0.1 ttl 255

      ip link set 机房B up

      ip addr add 192.168.1.1 dev 机房B

      ip route add 172.16.1.0/24 dev 机房B

      2、机房A网关配置:

      ip tunnel add 机房A mode gre remote 221.224.0.1 local 221.224.1.1 ttl 255

      ip link set 机房A up

      ip addr add 10.30.1.1 dev 机房A

      ip route add 192.168.1.0/24 dev 机房A

      3、机房B网关配置:

      ip tunnel add 机房B mode gre remote 221.224.0.1 local 221.224.2.1 ttl 255

      ip link set 机房B up

      ip addr add 172.16.1.1 dev 机房B

      ip route add 192.168.1.0/24 dev 机房B

      ##############################################################################

      Cisco router Linux GRE连接

      本文说明cisco router和Linux 系统做GRE连接。Cisco 为1721。Linux为Centos.

      拓扑如下

      router 和 Linux GRE连接" src="http://s6.sinaimg.cn/middle/68f770d9g93a5abde8e85&690" width=690 height=212>

      Liunx 系统

      1、检查是否加载ip_gre模块

      lsmod|grep ip_gre

      如没有,请加载ip_gre

      insmod /lib/modules/2.6.18-194.3.1.el5/kernel/net/ipv4/ip_gre.ko

      2.新增tunnel, 命名为tunnel0

      [root@localhost ~]# ip tunnel add tunnel0 mode gre remote 192.168.1.1 local 172.16.1.254 ttl 255

      3.激活新增tunnel0,

      [root@localhost ~]# ip link set tunnel0 up mtu 1500

      4.添加tunnel0 IP.

      [root@localhost ~]# ip addr add 10.100.2.2/30 peer 10.100.2.1/30 dev tunnel0

      5.添加从tunnel0 走的路由

      [root@localhost ~]# ip route add 10.10.34.0/24 dev tunnel0

      6.验证

      [root@localhost ~]# ip addr show

      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

      inet 127.0.0.1/8 scope host lo

      inet 10.0.0.254/32 scope global lo

      inet6 ::1/128 scope host

      valid_lft forever preferred_lft forever

      2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

      link/ether 00:d0:b7:2e:8f:21 brd ff:ff:ff:ff:ff:ff

      inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1

      inet6 fe80::2d0:b7ff:fe2e:8f21/64 scope link

      valid_lft forever preferred_lft forever

      3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

      link/ether 00:17:31:09:6e:ec brd ff:ff:ff:ff:ff:ff

      inet 172.16.1.254/24 brd 172.16.1.255 scope global eth0

      inet6 fe80::217:31ff:fe09:6eec/64 scope link

      valid_lft forever preferred_lft forever

      4: sit0: <NOARP> mtu 1480 qdisc noop

      link/sit 0.0.0.0 brd 0.0.0.0

      5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

      link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

      inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0

      inet6 fe80::200:ff:fe00:0/64 scope link

      valid_lft forever preferred_lft forever

      6: tunl0: <NOARP> mtu 1480 qdisc noop

      link/ipip 0.0.0.0 brd 0.0.0.0

      7: gre0: <NOARP> mtu 1476 qdisc noop

      link/gre 0.0.0.0 brd 0.0.0.0

      8: tunnel0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue

      link/gre 172.16.1.254 peer 192.168.1.1

      inet 10.100.2.2 peer 10.100.2.1/30 scope global tunnel0

      [root@localhost ~]# ip link show

      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

      2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

      link/ether 00:d0:b7:2e:8f:21 brd ff:ff:ff:ff:ff:ff

      3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

      link/ether 00:17:31:09:6e:ec brd ff:ff:ff:ff:ff:ff

      4: sit0: <NOARP> mtu 1480 qdisc noop

      link/sit 0.0.0.0 brd 0.0.0.0

      5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

      link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

      6: tunl0: <NOARP> mtu 1480 qdisc noop

      link/ipip 0.0.0.0 brd 0.0.0.0

      7: gre0: <NOARP> mtu 1476 qdisc noop

      link/gre 0.0.0.0 brd 0.0.0.0

      8: tunnel0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue

      link/gre 172.16.1.254 peer 192.168.1.1

      [root@localhost ~]# ip link show

      1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

      2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

      link/ether 00:d0:b7:2e:8f:21 brd ff:ff:ff:ff:ff:ff

      3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

      link/ether 00:17:31:09:6e:ec brd ff:ff:ff:ff:ff:ff

      4: sit0: <NOARP> mtu 1480 qdisc noop

      link/sit 0.0.0.0 brd 0.0.0.0

      5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

      link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

      6: tunl0: <NOARP> mtu 1480 qdisc noop

      link/ipip 0.0.0.0 brd 0.0.0.0

      7: gre0: <NOARP> mtu 1476 qdisc noop

      link/gre 0.0.0.0 brd 0.0.0.0

      8: tunnel0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue

      link/gre 172.16.1.254 peer 192.168.1.1

      [root@localhost ~]# ip tunnel show

      sit0: ipv6/ip remote any local any ttl 64 nopmtudisc

      tunl0: ip/ip remote any local any ttl inherit nopmtudisc

      gre0: gre/ip remote any local any ttl inherit nopmtudisc

      tunnel0: gre/ip remote 192.168.1.1 local 172.16.1.254 ttl 255

      [root@localhost ~]# ip route show

      10.10.34.0/24 dev tunnel0 scope link

      192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1

      172.16.1.0/24 dev eth0 proto kernel scope link src 172.16.1.254

      192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1

      [root@localhost ~]# ping 10.10.34.1

      PING 10.10.34.1 (10.10.34.1) 56(84) bytes of data.

      64 bytes from 10.10.34.1: icmp_seq=1 ttl=255 time=6.31 ms

      64 bytes from 10.10.34.1: icmp_seq=2 ttl=255 time=2.47 ms

      64 bytes from 10.10.34.1: icmp_seq=3 ttl=255 time=12.4 ms

      64 bytes from 10.10.34.1: icmp_seq=4 ttl=255 time=11.6 ms

      64 bytes from 10.10.34.1: icmp_seq=5 ttl=255 time=12.5 ms

      --- 10.10.34.1 ping statistics ---

      5 packets transmitted, 5 received, 0% packet loss, time 4002ms

      rtt min/avg/max/mdev = 2.477/9.102/12.578/4.045 ms

      

      Cisco

      Router-11#sh run int tunnel 1

      Building configuration...

      Current configuration : 148 bytes

      !

      interface Tunnel1

      ip address 10.100.2.1 255.255.255.252

      ip tcp adjust-mss 1400

      tunnel source 192.168.1.1

      tunnel destination 172.16.1.254

      end

      ip route 192.168.0.0 255.255.255.0 Tunnel1

      Router-11# traceroute 192.168.0.2

      Type escape sequence to abort.

      Tracing the route to ip-2-0-168-192.xxxx.com (192.168.0.2)

      1 10.100.2.2 [AS 65100] 0 msec

      ns1.xxxx.com (172.16.1.254) [AS 65100] 0 msec *

      可能会遇到MTU问题。需要调整MTUMSS参数

  • 相关阅读:
    业余草 SpringCloud教程 | 第十一篇: 断路器监控(Hystrix Dashboard)(Finchley版本)
    业余草 SpringCloud教程 | 第十篇: 高可用的服务注册中心(Finchley版本)
    业余草 SpringCloud教程 | 第九篇: 服务链路追踪(Spring Cloud Sleuth)(Finchley版本)
    业余草 SpringCloud教程 | 第八篇: 消息总线(Spring Cloud Bus)(Finchley版本)
    业余草 SpringCloud教程 | 第七篇: 高可用的分布式配置中心(Spring Cloud Config)(Finchley版本)
    POJ2135 Farm Tour
    POJ1149 PIGS
    POJ3041 Asteroids
    2020.7.4模拟 数据结构 (ds)
    2020.7.4模拟 浇花 (flower)
  • 原文地址:https://www.cnblogs.com/jvava/p/4782207.html
Copyright © 2020-2023  润新知