IP GRE Cisco Linux

Creating Tunnel interface on Cisco

interface Tunnel0
ip address 172.19.2.2 255.255.255.0
tunnel source IP_ADDR
tunnel destination IP_ADDR
ip nat inside

interface FastEthernet3/0
ip address IP_ADDR 255.255.255.252
ip nat outside
no ip mroute-cache
load-interval 30
duplex full

Adding routes

ip route 172.19.3.0 255.255.255.0 tunnel0

ip access-list standard Ips
permit 172.19.2.2
permit 172.19.3.3

route-map VPN permit 10
match ip address Ips

Configuring NAT

ip nat inside source route-map VPN interface FastEthernet3/0 overload
ip nat inside source static tcp 172.19.3.3 2200 fas3/0_ip_addr 7200 extendable

!!! ip nat outside must be on the external interface where internet comes !!!

Linux Tunnel

[root@fastline ~]# ip tun add tun0 mode gre local LOCAL remote REMOTE ttl 255 <br/>
[root@fastline ~]# ip add add 172.19.3.3 dev tun0 <br/>
[root@fastline ~]# ip link set tun0 up <br/>
[root@fastline ~]# ip r a 172.19.2.0/24 dev tun0 <br/>
[root@fastline ~]# echo “201 tun” >> /etc/iproute2/rt_tables <br/>
[root@fastline ~]# ip rule add from 172.19.3.3 lookup tun <br/>
[root@fastline ~]# ip route add default via 172.19.2.2 table tun <br/>
[root@fastline ~]# /sbin/ip route flush cache <br/>

This way all traffic from 172.19.3.3 will be forwarded to 172.19.2.2.

ip r a 66.197.0.0/24 dev tun0 (Traffic from this network will go via tunnel)

Forwarding Traffic
Forward specific traffic:

[root@fastline ~]# iptables -A PREROUTING -t mangle -p tcp –dport 22 -j MARK –set-mark 0×22<br/>
[root@fastline ~]# iptables -t mangle -L -v<br/>
Chain PREROUTING (policy ACCEPT 28 packets, 346K bytes)
pkts bytes target prot opt in out source destination
1 40 MARK tcp — any any anywhere anywhere tcp dpt:ssh MARK set 0×22

[root@fastline ~]# ip rule add fwmark 0×22 lookup tun
[root@fastline ~]# ip route add default via 172.19.2.2 table tun

This entry was posted on Thursday, June 11th, 2009 at 8:20 pm and is filed under Cisco. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

2 Responses to “IP GRE Cisco Linux”

  1. neptor Says:
    May 7th, 2010 at 2:27 am

    Hello,

    i’ve the similar situation, even i have to forwrding traffic from gre (ciscolinux) to internet, so in my iptables i’ve set :

    #Permiting linux to act as router (necessary to forward packets)
    echo “1″ > /proc/sys/net/ipv4/ip_forward
    # first the port then the protocol
    $fw -A INPUT -p 47 -j ACCEPT

    # permit any ppp interfase to forward
    $fw -A FORWARD -i cloud -o ppp0 -j ACCEPT
    $fw -A FORWARD -o cloud -i ppp0 -j ACCEPT

    # any “related” activity to something already permitted, should be accepted:
    $fw -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

    # masquerade anything going out from this server:
    $fw -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
    #$fw -t nat -A POSTROUTING -o ppp0 -j SNAT –to $myextip
    $fw -t nat -A POSTROUTING -o ppp0 -j SNAT –to-source $myextip
    $fw -A FORWARD -i cloud -o ppp0 -m state –state ESTABLISHED,RELATED -j ACCEPT

    so i see the traffic comming from cisco, and going to internet avec mu ppp0 NIC, but it never come back.

    Can you tell me what’s wrong with mon iptables ?

  2. Giany Says:
    May 11th, 2010 at 12:06 pm

    Try debugging with tcpdump. Most likely you did not set the proper iproute rules.

Leave a Reply