Things I have learned while doing GRE tunnels on Linux
In no particular order:
- point to point GRE tunnels have to be symmetric, where each end is a
mirror image of the other. Otherwise the destination kernel will
reject the inbound GRE packets, which makes sense from a security
perspective once you think about it.
- GRE tunnels require a local IP address before you can point routes at them; I suspect that this is generic behavior and is so that the kernel knows what default origin IP address to put on packets going out through them.
- because GRE tunnels are network devices, you can give them a distinct
local IP address, which becomes the default source IP address for anything
routed over the tunnel.
- GRE over IPSec over PPPoE requires a significantly smaller MTU than you might think for reliable operation. Do not assume that the kernel will get it right for you. (Especially if it doesn't know that the other end is using PPPoE.)
- it helps to make sure that both ends are using the same MTU. Unlike
with PPP, nothing automates this for you. (At least I think PPP
automates this for you.)
- because GRE tunnels provide an explicit source address and device,
you can play some really peculiar routing tricks. You don't even seem
to need policy based routing. My current trick is routing the
subnet that the target of the tunnel is on over the tunnel itself,
which makes my head hurt.
- reading the documentation for the
ipcommand is really useful; there's all sorts of powerful tricks lurking there. (And simple policy based routing is not as scary as it looks, honest.)
Now all I have to do is figure out the best way to automate all of this
so that it happens automatically on system boot. This may be kind of
tricky, because I am using a totally manually set up IPSec (complete
with direct invocation of
setkey and fixed keys), and I only want
to IPSec my GRE traffic, not anything else between the two endpoints
ifup-ipsec will do everything except GRE-only IPSec;
it wants to IPSec all traffic. I prefer not to, because that way I
have an out if something goes wrong with IPSec.)