http://searchenterprisewan.techtarget.com/tip/GRE-tunnel-vs-IPsec-tunnel-What-is-the-difference

Encapsulating a packet for secure transportation on the network can be done using either GRE or IPsec protocols. This tip explains under what circumstances each protocol works best.

 
 Generic Routing Encapsulation (GRE), defined by RFC 2784, is a simple IP packet encapsulation protocol. GRE is...

used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.

 

For example, in Mobile IP, a mobile node registers with a Home Agent. When the mobile node roams to a new network, it registers with a Foreign Agent there. Whenever IP packets addressed to the mobile node are received by the Home Agent, they can be relayed over a GRE tunnel to the Foreign Agent for delivery. It does not matter how the Home Agent and Foreign Agent communicate with each other -- hops in between just pass along the GRE packet. Only the GRE tunnel endpoints -- the two Agents -- actually route the encapsulated IP packet.

The IP Security (IPsec) Encapsulating Security Payload (ESP), defined by RFC 2406, also encapsulates IP packets. However, it does so for a different reason: To secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.

For example, in a site-to-site VPN, a source host in network "A" transmits an IP packet. When that packet reaches the edge of network "A" it hits a VPN gateway. VPN gateway "A" encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of network "B." VPN gateway "B" then decrypts the packet and delivers it to the destination host. Like GRE, it doesn't really matter how the two VPN gateways communicate with each other -- hops in between just pass along the ESP packet. But unlike GRE, someone at those hops could not possibly look at or change the encapsulated IP packet, even if they wanted to. That's because cryptographic algorithms have been applied to scramble the IP packet and detect any modification or replay.

In summary, use GRE where IP tunneling without privacy is required -- it's simpler and thus faster. But, use IPsec ESP where IP tunneling and data privacy are required -- it provides security features that are not even attempted by GRE.

http://www.heiqu.com/show-75082-1.html

http://user.qzone.qq.com/879205487/blog/1306227884

Linux Ip/gre tunnel互通隧道配置

3小时前

  说明:通过ip/gre tunnel能够通过多个tunnel网关将公司内网和机房互通

  例如:

  一、公司:

  UPIP:221.224.0.1

  网关:192.168.1.1/24

  network 公司

  二、机房A:

  UPIP:221.224.1.1

  network 机房A

  网关:10.30.1.1/24

  三、机房B:

  UPIP:221.224.2.1

  网关:172.16.1.1/24

  1、公司网关配置:

  modprobe ipip

  modprobe ip_gre

  #tunnel for 机房A

  ip tunnel add 机房A mode gre remote 221.224.1.1 local 221.224.0.1 ttl 255

  ip link set 机房A up

  ip addr add 192.168.1.1 dev 机房A

  ip route add 10.30.1.0/24 dev 机房A

  #tunnel for 机房B

  ip tunnel add 机房B mode gre remote 221.224.2.1 local 221.224.0.1 ttl 255

  ip link set 机房B up

  ip addr add 192.168.1.1 dev 机房B

  ip route add 172.16.1.0/24 dev 机房B

  2、机房A网关配置:

  ip tunnel add 机房A mode gre remote 221.224.0.1 local 221.224.1.1 ttl 255

  ip link set 机房A up

  ip addr add 10.30.1.1 dev 机房A

  ip route add 192.168.1.0/24 dev 机房A

  3、机房B网关配置:

  ip tunnel add 机房B mode gre remote 221.224.0.1 local 221.224.2.1 ttl 255

  ip link set 机房B up

  ip addr add 172.16.1.1 dev 机房B

  ip route add 192.168.1.0/24 dev 机房B

  ##############################################################################

  Cisco router Linux GRE连接

  本文说明cisco router和Linux 系统做GRE连接。Cisco 为1721。Linux为Centos.

  拓扑如下

  router 和 Linux GRE连接" src="http://s6.sinaimg.cn/middle/68f770d9g93a5abde8e85&690" width=690 height=212>

  Liunx 系统

  1、检查是否加载ip_gre模块

  lsmod|grep ip_gre

  如没有,请加载ip_gre

  insmod /lib/modules/2.6.18-194.3.1.el5/kernel/net/ipv4/ip_gre.ko

  2.新增tunnel, 命名为tunnel0

  [root@localhost ~]# ip tunnel add tunnel0 mode gre remote 192.168.1.1 local 172.16.1.254 ttl 255

  3.激活新增tunnel0,

  [root@localhost ~]# ip link set tunnel0 up mtu 1500

  4.添加tunnel0 IP.

  [root@localhost ~]# ip addr add 10.100.2.2/30 peer 10.100.2.1/30 dev tunnel0

  5.添加从tunnel0 走的路由

  [root@localhost ~]# ip route add 10.10.34.0/24 dev tunnel0

  6.验证

  [root@localhost ~]# ip addr show

  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

  inet 127.0.0.1/8 scope host lo

  inet 10.0.0.254/32 scope global lo

  inet6 ::1/128 scope host

  valid_lft forever preferred_lft forever

  2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:d0:b7:2e:8f:21 brd ff:ff:ff:ff:ff:ff

  inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1

  inet6 fe80::2d0:b7ff:fe2e:8f21/64 scope link

  valid_lft forever preferred_lft forever

  3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:17:31:09:6e:ec brd ff:ff:ff:ff:ff:ff

  inet 172.16.1.254/24 brd 172.16.1.255 scope global eth0

  inet6 fe80::217:31ff:fe09:6eec/64 scope link

  valid_lft forever preferred_lft forever

  4: sit0: <NOARP> mtu 1480 qdisc noop

  link/sit 0.0.0.0 brd 0.0.0.0

  5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

  inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0

  inet6 fe80::200:ff:fe00:0/64 scope link

  valid_lft forever preferred_lft forever

  6: tunl0: <NOARP> mtu 1480 qdisc noop

  link/ipip 0.0.0.0 brd 0.0.0.0

  7: gre0: <NOARP> mtu 1476 qdisc noop

  link/gre 0.0.0.0 brd 0.0.0.0

  8: tunnel0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/gre 172.16.1.254 peer 192.168.1.1

  inet 10.100.2.2 peer 10.100.2.1/30 scope global tunnel0

  [root@localhost ~]# ip link show

  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

  2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:d0:b7:2e:8f:21 brd ff:ff:ff:ff:ff:ff

  3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:17:31:09:6e:ec brd ff:ff:ff:ff:ff:ff

  4: sit0: <NOARP> mtu 1480 qdisc noop

  link/sit 0.0.0.0 brd 0.0.0.0

  5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

  6: tunl0: <NOARP> mtu 1480 qdisc noop

  link/ipip 0.0.0.0 brd 0.0.0.0

  7: gre0: <NOARP> mtu 1476 qdisc noop

  link/gre 0.0.0.0 brd 0.0.0.0

  8: tunnel0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/gre 172.16.1.254 peer 192.168.1.1

  [root@localhost ~]# ip link show

  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

  2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:d0:b7:2e:8f:21 brd ff:ff:ff:ff:ff:ff

  3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:17:31:09:6e:ec brd ff:ff:ff:ff:ff:ff

  4: sit0: <NOARP> mtu 1480 qdisc noop

  link/sit 0.0.0.0 brd 0.0.0.0

  5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

  6: tunl0: <NOARP> mtu 1480 qdisc noop

  link/ipip 0.0.0.0 brd 0.0.0.0

  7: gre0: <NOARP> mtu 1476 qdisc noop

  link/gre 0.0.0.0 brd 0.0.0.0

  8: tunnel0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/gre 172.16.1.254 peer 192.168.1.1

  [root@localhost ~]# ip tunnel show

  sit0: ipv6/ip remote any local any ttl 64 nopmtudisc

  tunl0: ip/ip remote any local any ttl inherit nopmtudisc

  gre0: gre/ip remote any local any ttl inherit nopmtudisc

  tunnel0: gre/ip remote 192.168.1.1 local 172.16.1.254 ttl 255

  [root@localhost ~]# ip route show

  10.10.34.0/24 dev tunnel0 scope link

  192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1

  172.16.1.0/24 dev eth0 proto kernel scope link src 172.16.1.254

  192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1

  [root@localhost ~]# ping 10.10.34.1

  PING 10.10.34.1 (10.10.34.1) 56(84) bytes of data.

  64 bytes from 10.10.34.1: icmp_seq=1 ttl=255 time=6.31 ms

  64 bytes from 10.10.34.1: icmp_seq=2 ttl=255 time=2.47 ms

  64 bytes from 10.10.34.1: icmp_seq=3 ttl=255 time=12.4 ms

  64 bytes from 10.10.34.1: icmp_seq=4 ttl=255 time=11.6 ms

  64 bytes from 10.10.34.1: icmp_seq=5 ttl=255 time=12.5 ms

  --- 10.10.34.1 ping statistics ---

  5 packets transmitted, 5 received, 0% packet loss, time 4002ms

  rtt min/avg/max/mdev = 2.477/9.102/12.578/4.045 ms

  

  Cisco

  Router-11#sh run int tunnel 1

  Building configuration...

  Current configuration : 148 bytes

  !

  interface Tunnel1

  ip address 10.100.2.1 255.255.255.252

  ip tcp adjust-mss 1400

  tunnel source 192.168.1.1

  tunnel destination 172.16.1.254

  end

  ip route 192.168.0.0 255.255.255.0 Tunnel1

  Router-11# traceroute 192.168.0.2

  Type escape sequence to abort.

  Tracing the route to ip-2-0-168-192.xxxx.com (192.168.0.2)

  1 10.100.2.2 [AS 65100] 0 msec

  ns1.xxxx.com (172.16.1.254) [AS 65100] 0 msec *

  可能会遇到MTU问题。需要调整MTUMSS参数

gre tunnel的更多相关文章

  1. [转]深入理解 GRE tunnel

    我以前写过一篇介绍 tunnel 的文章,只是做了大体的介绍.里面多数 tunnel 是很容易理解的,因为它们多是一对一的,换句话说,是直接从一端到另一端.比如 IPv6 over IPv4 的 tu ...

  2. GRE tunnel 2

    1.GRE简介 通用路由封装协议GRE(Generic Routing Encapsulation)可以对某些网络层协议(如IPX.ATM.IPv6.AppleTalk等)的数据报文进行封装,使这些被 ...

  3. gre tunnel搭建

    应用场景: 客户端(client)与服务器A在同一个运营商网络,应用部署在服务器B,服务器A .B之间建立tunnel,A设置dnat,client通过访问A的8000端口来访问服务器B,B返回的响应 ...

  4. 深入理解 GRE tunnel

    深入理解 GRE tunnel 时间 2012-11-08 19:05:22  A Geek's Page 原文  http://wangcong.org/blog/archives/2149 主题  ...

  5. Centos7 GRE Tunnel

    一.关闭防火墙及selinux 二.CentOS7默认不加载gre内核模块,加载gre内核模块 # modprobe ip_gre   临时加载gre模块(重启后失效) # lsmod |grep g ...

  6. Neutron 理解 (3): Open vSwitch + GRE/VxLAN 组网 [Netruon Open vSwitch + GRE/VxLAN Virutal Network]

    学习 Neutron 系列文章: (1)Neutron 所实现的虚拟化网络 (2)Neutron OpenvSwitch + VLAN 虚拟网络 (3)Neutron OpenvSwitch + GR ...

  7. GRE与Vxlan网络详解

    1. GRE 1.1 概念 GRE全称是Generic Routing Encapsulation,是一种协议封装的格式,具体格式内容见:https://tools.ietf.org/html/rfc ...

  8. 探索 OpenStack 之(8):Neutron 深入探索之 OVS + GRE 之 完整网络流程 篇

    前两篇博文分别研究了Compute节点和Neutron节点内部的网络架构.本文通过一些典型流程案例来分析具体网络流程过程. 0. 环境 同 学习OpenStack之(7):Neutron 深入学习之 ...

  9. openstack网络(neutron)模式之GRE的基本原理

    neutron网络目的是为OpenStack云更灵活的划分网络,在多租户的环境下提供给每个租户独立的网络环境. neutron混合实施了第二层的VLAN和第三层的路由服务,它可为支持的网络提供防火墙, ...

随机推荐

  1. html .css 实现图片滑动和自动播放特效移动端 HTML 5中添加了以touch 开头的事件

    <!DOCTYPE HTML> <html> <head> <meta charset="utf-8">     <meta ...

  2. 彻底解决tap“点透”,提升移动端点击响应速度

    申明!!!最后发现判断有误,各位读读就好,正在研究中.....尼玛水太深了 前言 近期使用tap事件为老夫带来了这样那样的问题,其中一个问题是解决了点透还需要将原来一个个click变为tap,这样的话 ...

  3. bullet_01

    #include <btBulletDynamicsCommon.h> #include <osgViewer/Viewer> #include <map> #in ...

  4. java基础(1)

    class test { static { a=3; //System.out.println(a); } static int a = 1; String b = "ff"; p ...

  5. 如何将编译出来的images拷贝到windows下面刷机

    由于SPRD的刷机工具ResearchDownload运行在window环境下:这样,我们平时在开发环境下编译出来的镜像文件就不能直接用于刷机了. 这里涉及到一个双系统中文件共享的方法.由于企业信息安 ...

  6. visible绑定(The "visible" binding)

    对visible进行绑定可以控制元素的显示和隐藏. 示例: <div data-bind="visible: shouldShowMessage"> You will ...

  7. 神经网络工具箱nntool的使用方法

    关于如何使用nntool神经网络工具箱进行“数据训练”的方法: 1. 在命令窗口键入nntool命令打开神经网络工具箱: 2. 点击Import按钮两次,分别把输入向量和目标输出加入到对应的窗口([I ...

  8. docker私服

    1.下载私服镜像docker pull registry 2.启动容器docker run -d -p 5000:5000 -v /opt/data/registry:/var/lib/registr ...

  9. JPA 系列教程13-复合主键-@EmbeddedId+@Embeddable

    复合主键 指多个主键联合形成一个主键组合 需求产生 比如航线一般是由出发地及目的地确定,如果要确定唯一的航线就可以用出发地和目的地一起来表示 ddl语句 同复合主键-2个@Id和复合主键-2个@Id+ ...

  10. for计算100以内的偶数和

    #include "stdio.h" void main() { ,sum=; ;d++) { ==) { sum=sum+d; } }printf("100以内所有偶数 ...