0

The Linux GRE tunnel as two parameters, local address and remote address. Suppose I have two routers, the left one is outside of a NAT and right one is inside NAT, then I want to create a GRE tunnel between the left and right routers. I am clear to the right side, where local address should be own address and remote address should be the peer public address. But the to the left side, I think the router will not know the peer address before the connection, then how would I set the 'remote' address for it?

Thanks in advance. -woody

Woody Wu
  • 191
  • 8

1 Answers1

0

You should do as expected for other protocols: put only public IPs for remotes.

Example:

left: 192.0.2.10

NAT system: 198.51.100.20 / 192.168.0.1

right (behind NAT): 192.168.0.30

(And eg you're setting up tunnel's IPs for left 10.10.10.1/24 and right 10.10.10.2/24, it doesn't matter here)

You need to tell the left router that the remote is 198.51.100.20, while for the right router, the remote is 192.0.2.10.

Now the caveat: it really depends on settings on the NAT system in case it's running Linux.

If this NAT system is also Linux,

  • It must of course at least do SNAT/MASQUERADE for right for protocol gre (47) in case it doesn't have a generic rule (but see later),
  • while NAT for usual protocols usually pulls the related conntrack modules automatically, this doesn't happen for GRE. You have to manually do modprobe nf_conntrack_proto_gre, or no NAT will happen, and the tunnel won't work. Strangely, from tests, nf_nat_proto_gre doesn't seem needed (nor is enough alone).
  • If there is no equivalent DNAT to the SNAT/MASQUERADE, then only right should initiate traffic to left. If left sends traffic to right (actually to the NAT system) after inactivity, this won't work, and the conntrack entry might prevent for up to 30s (after end of attempts) right to establish traffic to left. Once "established", the "OK" timer rises to 180s. So you should really consider adding a DNAT rule from left to right to complete the opposite SNAT/MASQUERADE rule.

On such Linux NAT system, you can verify what's happening using conntrack -L -p gre, it must have an entry after GRE tunnel activity or the correct module is missing.

A.B
  • 9,037
  • 2
  • 19
  • 37
  • Can I understand that in whatever SNAT/DNAT setups, there is only one host on the right side can do GRE with a same left side host? – Woody Wu Aug 20 '18 at 13:46
  • Another question that related to the left side. In the real world, it is a Cisco router. I has to support more than 1000 hosts to create GRE with each of them. I don't know any detail inside the Cisco router, but to me it will be very strange if the router need to config GRE entries for all of these 1000 hosts. I image that there could exist an automatic way of doing it in Cisco, if so, which must be so different with the local/remote way of configuring found in Linux. I have no info on this however, does someone know some of these for Cisco? Thanks. – Woody Wu Aug 20 '18 at 13:51
  • No idea on Cisco at all, but a normal NAT both ways is good enough if there's only *one* right system. Nothing special about "protocol 47" for its *IP* part. I was just warning of a slight lack of expected implicit feature on Linux – A.B Aug 20 '18 at 14:28
  • Btw, I tested it just to be sure before answering. If you think I addressed the question, don't forget to accept it – A.B Aug 20 '18 at 14:32