Setting up a "Universal GRE Decapsulator" on Linux

This document gives some instructions on how to set up a universal GRE decapsulator on Linux, and how to set up clients to use it. GRE is a tunneling protocol, usually set up point-to-point between two routers. We use the term "universal decapsulator" to describe a configuration for a GRE tunnel endpoint that will decapsulate GRE packets from any other endpoint. This is a useful tool to have for sending packets via a scenic route for testing purposes.

In this document, we use the term "decapsulator" to refer to the host that decapsulates GRE-tunneled packets. The "source" is the host that sends tunneled packets via the scenic route to the "target." Note that in this configuration, only traffic in the source to target direction takes the scenic route, while traffic in the reverse direction still takes the direct path. In some cases, it may be useful to set up both endpoints so that they send traffic to each other via the scenic route.

Diagram

Decapsulator setup

The decapsulator should ideally be a well-connected box, preferably outside any firewall perimeter. Note that setting up any tunnel decapsulator can be a security risk. Use these instructions at your own risk! It can be done safely, but you must understand how this fits with your security model. The box itself should be well secured.

First, make sure the kernel has been built with GRE tunnel support (the ip_gre module). The following instructions are in pseudo shell script form. They can be cut-and-pasted, but will require modification of some details to work correctly. 

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Make sure the GRE module is loaded
modprobe ip_gre

# Create the GRE tunnel interface gre_decap1
# Replace decap_address with the decapsulator's public address,
# and my_key with a unique 16-bit key unique to this tunnel.
ip tun add gre_decap1 mode gre local decap_address key my_key

# Disalbe reverse path forwarding checks
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done

# Give the tunnel interface an address (my_address should be the
# same as above.
ip addr add decap_address dev gre_decap1

# Bring the tunnel interface up
ip link set gre_decap1 up

The decapsulator should now accept GRE packets from any client using the correct key, decapsulate them and bounce them back to their final destination.

Source setup

The following are instructions for a source that wants to send packets to a destination via the scenic tunnel. 

# Make sure the GRE module is loaded
modprobe ip_gre

# Create the tunnel device.  Here, decap_address is the decapsulator's
# address, source_address is the source host's address, and my_key
# is the configured GRE tunnel key.
ip tun add gre1 mode gre remote decap_address local source_address key my_key

# Turn off reverse path filtering
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $i; done

# Assign the gre device an address.  This will show up as the "outer"
# source IP address on packets set through the tunnel.
ip addr add source_address dev gre1

# Bring up the tunnel device
ip link set gre1 up

# Add routes to any destinations you want to go through the tunnel.
ip route add target_net/mask dev gre1

About NPAD

Network Path and Application Diagnosis is a joint project of the PSC and NCAR, funded under NSF grant ANI-0334061. This project is focused on using Web100 and other methods to extend fairly standard diagnostic techniques to compensate for the "symptom scaling" that leads to false positive diagnostic results on short paths.

Matt Mathis, John Heffner, and Raghu Reddy
Please send comments and suggestions to nettune@psc.edu