GRE tunneling
Set a GRE tunnel with GCore
Use the following instructions to set up the GRE (Generic Routing Encapsulation) tunnel using Gcore infrastructure.
or
These commands will display the routing table of the router, showing the IP addresses of their interfaces that will be used as tunnel sources.
2. Set the tunnel IP address and subnet mask:
3. Specify the source and destination IP addresses.
The user on the other end of the tunnel sets the similar configuration:
When you configure both ends of the tunnel with matching parameters, the GRE tunnel between two routers will be established.
Prefix-list lines are responsible for defining routes.
2. Define the inbound route policy:
The
The
The
Side B:
The configuration lines provided above enable you to establish BGP sessions with Gcore over GRE tunnels to protect your applications and servers from DDoS attacks and other types of malicious traffic.
Replace
2. Assign an IP address to the tunnel interface:
To make this setting persistent, add the following to the configuration file /etc/sysctl.conf:
Alternatively, create a custom
Configure a GRE tunnel on Cisco routers
These configuration steps are specific to Cisco routers. For information on configuring GRE tunnels and BGP sessions on other devices, refer to the respective documentation provided by the manufacturer.Step 1. Check network availability between routers
Both routers in a tunnel must have routable interfaces connected to the internet, and their routes must be mutually visible and reachable. To verify the connectivity, run either of the following commands on a router platform:Step 2. Configure a tunnel
Follow these steps and use the configuration snippets below as a guideline. 1. Set the tunnel ID:Step 3. Set the MTU and MSS limits
Tunneling adds an extra header to the original IP packet, resulting in overhead. If you don’t adjust MTU and MSS limits, it may lead to packet delivery issues. Set the following MTU and MSS limits:Why these values?
Why these values?
The standard MTU size allowed on the internet is 1500 bytes. When using GRE, typically an additional 24 bytes are added to the packet, consisting of 20 bytes of additional an outer IP header and 4 bytes of GRE itself. This means we must reduce the maximum allowed packet size over our GRE tunnel to 1476 bytes. Since we do not use any encryption in our example, no more headers are considered. If there was encryption, there would be 4 more bytes, but this is out of the scope of this article.For TCP, the maximum segment size (MSS) value is 40 bytes less than the MTU size, as the TCP header is 40 bytes. Thus, the MSS value must be explicitly specified in the configuration. In our case, the MSS value must be 1436 bytes (1476 [the GRE MTU size] - 40 = 1436).
Step 4. Configure BGP
Open a BGP peering session, configure your BGP neighbor by specifying their IP address and number of remote AS, set BGP policies that will determine the best path for routing, and advertise network prefixes. For example, imagine Side A (AS 10) and Side B (AS 20) on the two ends of the tunnel. Side A provides DDoS Protection, so it accepts specific routes from clients, denies the default for the routing security purposes, and does not advertise anything. On the other hand, Side B advertises only its own routes. Let’s start with the Side A configuration. 1. Define the neighbor routes:SIDE_A_POLICY_INBOUND route policy processes incoming routes. The first line denies the default route, while the second line permits the client routes.
3. Define the outbound route policy:
SIDE_A_POLICY_OUTBOUND route policy denies all routes coming out of the router.
The route policy configuration on Side B will be similar:
SIDE_B_POLICY_INBOUND and SIDE_B_POLICY_OUTBOUND route policies describe the routes coming in and going out of the Side B’s router, respectively. Side B doesn’t accept any routes from Side A, and advertises its own routes to Side A without the default route.
The BGP configuration on both ends of the GRE tunnel should be as follows:
Side A:
Set a GRE tunnel on Ubuntu
Establish a tunnel on Linux-based servers functioning as endpoints in your network.Step 1. Install required tools
Install the iproute2 package for managing GRE tunnels:Step 2. Configure the GRE tunnel
Configure the tunnel on the first endpoint with the example address 40.0.0.1: 1. Create the GRE tunnel:40.0.0.1 with this system’s public IP and 50.0.0.1 with the remote system’s public IP.
2. Assign an IP address to the tunnel interface: sudo ip addr add 10.20.30.1/24 dev gre1.
3. Bring up the GRE interface: sudo ip link set gre1 up.
Configure the tunnel on the second endpoint with the example address 50.0.0.1:
1. Create the GRE tunnel:
sudo ip addr add 10.20.30.2/24 dev gre1.
3. Bring up the GRE interface: sudo ip link set gre1 up.
Step 3. Enable IP forwarding
If the GRE tunnel is being used for routing, ensure that IP forwarding is enabled on both endpoints. Run the following command:net.ipv4.ip_forward=1.
Apply the changes by running sudo sysctl -p.
Step 4. Adjust MTU and MSS settings
To handle the additional GRE header, set the MTU and MSS limits on both endpoints:Step 5. Verify tunnel connectivity
On each endpoint, test the connectivity by pinging the opposite end of the GRE tunnel:Step 6. Configure routing (optional)
If you need to route specific traffic through the GRE tunnel, add routing rules. For example:Step 7. Make the configuration persistent
To make the GRE tunnel configuration persistent across reboots, add the setup commands to/etc/network/interfaces or use systemd service files.
To update the setup in /etc/network/interfaces, add the following information to the file:
systemd service to set up the tunnel at boot.