Articles in this section

See more

Generic Routing Encapsulation (GRE) tunnelling from the command line

Permanently deleted user
  • Updated
Follow

Generic Routing Encapsulation (GRE) is an IP tunnelling protocol used to transport packets from one network through another network. GRE is supported from the command line in Firmware 3.5.1, on all ACM5000, ACM5500, ACM7000, CM7100, IM4200 and IM7200 models.

You can use this method to bridge two sites on the same subnet together. It's also similar to running OpenVPN to bridge two networks together, without the privacy/security of encryption/authentication. 

The example below shows how to establish a GRE tunnel between two machines that are already able to contact each other. One machine's IP address is "pc_ip_addr" and the other is "acm_ip_addr". The shared subnet that is to be bridged between the two devices is "10.0.1.0/24". 

On ACM Side:
# modprobe ip_gre
# ip tunnel add Tunnel mode gre remote pc_ip_addr
# ip link set Tunnel up
# ip addr add 10.0.1.1 dev Tunnel
# ip route add 10.0.1.0/24 dev Tunnel 

On PC Side:
# modprobe ip_gre
# ip tunnel add Tunnel mode gre remote acm_ip_addr
# ip link set Tunnel up
# ip addr add 10.0.1.2 dev Tunnel
# ip route add 10.0.1.0/24 dev Tunnel 

You will need a custom network start script to bring this up automatically 

You will also need to manually set up the firewall on the ACM to allow incoming traffic on the Tunnel interface  -the PC may also need firewall changes. Without changes to the firewall settings the ACM settings above won't even allow incoming ping requests. The following is an example of what you can do on the ACM side to allow all incoming traffic on the Tunnel interface (not recommended - the rules should be more strict as this is only a basic example of what will work):
# iptables -N TunnelInput
# iptables -A TunnelInput -j ACCEPT
# iptables -I INPUT -i Tunnel -j TunnelInput

The first line adds a rule chain for input on the Tunnel interface. The second line adds a rule to the chain to allow everything through and the third line adds the new rule chain (associated with the Tunnel interface) to the top of the INPUT chain. 

These settings will also need to be in a start up script as they are lost on reboot. 


Note that this connection will be unencrypted and that if encryption is required that we recommended tunnelling the GRE connection over an IPSec tunnel for improved security.

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk