http://searchenterprisewan.techtarget.com/tip/GRE-tunnel-vs-IPsec-tunnel-What-is-the-difference

Encapsulating a packet for secure transportation on the network can be done using either GRE or IPsec protocols. This tip explains under what circumstances each protocol works best.

 
 Generic Routing Encapsulation (GRE), defined by RFC 2784, is a simple IP packet encapsulation protocol. GRE is...

used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.

 

For example, in Mobile IP, a mobile node registers with a Home Agent. When the mobile node roams to a new network, it registers with a Foreign Agent there. Whenever IP packets addressed to the mobile node are received by the Home Agent, they can be relayed over a GRE tunnel to the Foreign Agent for delivery. It does not matter how the Home Agent and Foreign Agent communicate with each other -- hops in between just pass along the GRE packet. Only the GRE tunnel endpoints -- the two Agents -- actually route the encapsulated IP packet.

The IP Security (IPsec) Encapsulating Security Payload (ESP), defined by RFC 2406, also encapsulates IP packets. However, it does so for a different reason: To secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.

For example, in a site-to-site VPN, a source host in network "A" transmits an IP packet. When that packet reaches the edge of network "A" it hits a VPN gateway. VPN gateway "A" encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of network "B." VPN gateway "B" then decrypts the packet and delivers it to the destination host. Like GRE, it doesn't really matter how the two VPN gateways communicate with each other -- hops in between just pass along the ESP packet. But unlike GRE, someone at those hops could not possibly look at or change the encapsulated IP packet, even if they wanted to. That's because cryptographic algorithms have been applied to scramble the IP packet and detect any modification or replay.

In summary, use GRE where IP tunneling without privacy is required -- it's simpler and thus faster. But, use IPsec ESP where IP tunneling and data privacy are required -- it provides security features that are not even attempted by GRE.

http://www.heiqu.com/show-75082-1.html

http://user.qzone.qq.com/879205487/blog/1306227884

Linux Ip/gre tunnel互通隧道配置

3小时前

  说明:通过ip/gre tunnel能够通过多个tunnel网关将公司内网和机房互通

  例如:

  一、公司:

  UPIP:221.224.0.1

  网关:192.168.1.1/24

  network 公司

  二、机房A:

  UPIP:221.224.1.1

  network 机房A

  网关:10.30.1.1/24

  三、机房B:

  UPIP:221.224.2.1

  网关:172.16.1.1/24

  1、公司网关配置:

  modprobe ipip

  modprobe ip_gre

  #tunnel for 机房A

  ip tunnel add 机房A mode gre remote 221.224.1.1 local 221.224.0.1 ttl 255

  ip link set 机房A up

  ip addr add 192.168.1.1 dev 机房A

  ip route add 10.30.1.0/24 dev 机房A

  #tunnel for 机房B

  ip tunnel add 机房B mode gre remote 221.224.2.1 local 221.224.0.1 ttl 255

  ip link set 机房B up

  ip addr add 192.168.1.1 dev 机房B

  ip route add 172.16.1.0/24 dev 机房B

  2、机房A网关配置:

  ip tunnel add 机房A mode gre remote 221.224.0.1 local 221.224.1.1 ttl 255

  ip link set 机房A up

  ip addr add 10.30.1.1 dev 机房A

  ip route add 192.168.1.0/24 dev 机房A

  3、机房B网关配置:

  ip tunnel add 机房B mode gre remote 221.224.0.1 local 221.224.2.1 ttl 255

  ip link set 机房B up

  ip addr add 172.16.1.1 dev 机房B

  ip route add 192.168.1.0/24 dev 机房B

  ##############################################################################

  Cisco router Linux GRE连接

  本文说明cisco router和Linux 系统做GRE连接。Cisco 为1721。Linux为Centos.

  拓扑如下

  router 和 Linux GRE连接" src="http://s6.sinaimg.cn/middle/68f770d9g93a5abde8e85&690" width=690 height=212>

  Liunx 系统

  1、检查是否加载ip_gre模块

  lsmod|grep ip_gre

  如没有,请加载ip_gre

  insmod /lib/modules/2.6.18-194.3.1.el5/kernel/net/ipv4/ip_gre.ko

  2.新增tunnel, 命名为tunnel0

  [root@localhost ~]# ip tunnel add tunnel0 mode gre remote 192.168.1.1 local 172.16.1.254 ttl 255

  3.激活新增tunnel0,

  [root@localhost ~]# ip link set tunnel0 up mtu 1500

  4.添加tunnel0 IP.

  [root@localhost ~]# ip addr add 10.100.2.2/30 peer 10.100.2.1/30 dev tunnel0

  5.添加从tunnel0 走的路由

  [root@localhost ~]# ip route add 10.10.34.0/24 dev tunnel0

  6.验证

  [root@localhost ~]# ip addr show

  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

  inet 127.0.0.1/8 scope host lo

  inet 10.0.0.254/32 scope global lo

  inet6 ::1/128 scope host

  valid_lft forever preferred_lft forever

  2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:d0:b7:2e:8f:21 brd ff:ff:ff:ff:ff:ff

  inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1

  inet6 fe80::2d0:b7ff:fe2e:8f21/64 scope link

  valid_lft forever preferred_lft forever

  3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:17:31:09:6e:ec brd ff:ff:ff:ff:ff:ff

  inet 172.16.1.254/24 brd 172.16.1.255 scope global eth0

  inet6 fe80::217:31ff:fe09:6eec/64 scope link

  valid_lft forever preferred_lft forever

  4: sit0: <NOARP> mtu 1480 qdisc noop

  link/sit 0.0.0.0 brd 0.0.0.0

  5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

  inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0

  inet6 fe80::200:ff:fe00:0/64 scope link

  valid_lft forever preferred_lft forever

  6: tunl0: <NOARP> mtu 1480 qdisc noop

  link/ipip 0.0.0.0 brd 0.0.0.0

  7: gre0: <NOARP> mtu 1476 qdisc noop

  link/gre 0.0.0.0 brd 0.0.0.0

  8: tunnel0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/gre 172.16.1.254 peer 192.168.1.1

  inet 10.100.2.2 peer 10.100.2.1/30 scope global tunnel0

  [root@localhost ~]# ip link show

  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

  2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:d0:b7:2e:8f:21 brd ff:ff:ff:ff:ff:ff

  3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:17:31:09:6e:ec brd ff:ff:ff:ff:ff:ff

  4: sit0: <NOARP> mtu 1480 qdisc noop

  link/sit 0.0.0.0 brd 0.0.0.0

  5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

  6: tunl0: <NOARP> mtu 1480 qdisc noop

  link/ipip 0.0.0.0 brd 0.0.0.0

  7: gre0: <NOARP> mtu 1476 qdisc noop

  link/gre 0.0.0.0 brd 0.0.0.0

  8: tunnel0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/gre 172.16.1.254 peer 192.168.1.1

  [root@localhost ~]# ip link show

  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

  2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:d0:b7:2e:8f:21 brd ff:ff:ff:ff:ff:ff

  3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:17:31:09:6e:ec brd ff:ff:ff:ff:ff:ff

  4: sit0: <NOARP> mtu 1480 qdisc noop

  link/sit 0.0.0.0 brd 0.0.0.0

  5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

  6: tunl0: <NOARP> mtu 1480 qdisc noop

  link/ipip 0.0.0.0 brd 0.0.0.0

  7: gre0: <NOARP> mtu 1476 qdisc noop

  link/gre 0.0.0.0 brd 0.0.0.0

  8: tunnel0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/gre 172.16.1.254 peer 192.168.1.1

  [root@localhost ~]# ip tunnel show

  sit0: ipv6/ip remote any local any ttl 64 nopmtudisc

  tunl0: ip/ip remote any local any ttl inherit nopmtudisc

  gre0: gre/ip remote any local any ttl inherit nopmtudisc

  tunnel0: gre/ip remote 192.168.1.1 local 172.16.1.254 ttl 255

  [root@localhost ~]# ip route show

  10.10.34.0/24 dev tunnel0 scope link

  192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1

  172.16.1.0/24 dev eth0 proto kernel scope link src 172.16.1.254

  192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1

  [root@localhost ~]# ping 10.10.34.1

  PING 10.10.34.1 (10.10.34.1) 56(84) bytes of data.

  64 bytes from 10.10.34.1: icmp_seq=1 ttl=255 time=6.31 ms

  64 bytes from 10.10.34.1: icmp_seq=2 ttl=255 time=2.47 ms

  64 bytes from 10.10.34.1: icmp_seq=3 ttl=255 time=12.4 ms

  64 bytes from 10.10.34.1: icmp_seq=4 ttl=255 time=11.6 ms

  64 bytes from 10.10.34.1: icmp_seq=5 ttl=255 time=12.5 ms

  --- 10.10.34.1 ping statistics ---

  5 packets transmitted, 5 received, 0% packet loss, time 4002ms

  rtt min/avg/max/mdev = 2.477/9.102/12.578/4.045 ms

  

  Cisco

  Router-11#sh run int tunnel 1

  Building configuration...

  Current configuration : 148 bytes

  !

  interface Tunnel1

  ip address 10.100.2.1 255.255.255.252

  ip tcp adjust-mss 1400

  tunnel source 192.168.1.1

  tunnel destination 172.16.1.254

  end

  ip route 192.168.0.0 255.255.255.0 Tunnel1

  Router-11# traceroute 192.168.0.2

  Type escape sequence to abort.

  Tracing the route to ip-2-0-168-192.xxxx.com (192.168.0.2)

  1 10.100.2.2 [AS 65100] 0 msec

  ns1.xxxx.com (172.16.1.254) [AS 65100] 0 msec *

  可能会遇到MTU问题。需要调整MTUMSS参数

gre tunnel的更多相关文章

  1. [转]深入理解 GRE tunnel

    我以前写过一篇介绍 tunnel 的文章,只是做了大体的介绍.里面多数 tunnel 是很容易理解的,因为它们多是一对一的,换句话说,是直接从一端到另一端.比如 IPv6 over IPv4 的 tu ...

  2. GRE tunnel 2

    1.GRE简介 通用路由封装协议GRE(Generic Routing Encapsulation)可以对某些网络层协议(如IPX.ATM.IPv6.AppleTalk等)的数据报文进行封装,使这些被 ...

  3. gre tunnel搭建

    应用场景: 客户端(client)与服务器A在同一个运营商网络,应用部署在服务器B,服务器A .B之间建立tunnel,A设置dnat,client通过访问A的8000端口来访问服务器B,B返回的响应 ...

  4. 深入理解 GRE tunnel

    深入理解 GRE tunnel 时间 2012-11-08 19:05:22  A Geek's Page 原文  http://wangcong.org/blog/archives/2149 主题  ...

  5. Centos7 GRE Tunnel

    一.关闭防火墙及selinux 二.CentOS7默认不加载gre内核模块,加载gre内核模块 # modprobe ip_gre   临时加载gre模块(重启后失效) # lsmod |grep g ...

  6. Neutron 理解 (3): Open vSwitch + GRE/VxLAN 组网 [Netruon Open vSwitch + GRE/VxLAN Virutal Network]

    学习 Neutron 系列文章: (1)Neutron 所实现的虚拟化网络 (2)Neutron OpenvSwitch + VLAN 虚拟网络 (3)Neutron OpenvSwitch + GR ...

  7. GRE与Vxlan网络详解

    1. GRE 1.1 概念 GRE全称是Generic Routing Encapsulation,是一种协议封装的格式,具体格式内容见:https://tools.ietf.org/html/rfc ...

  8. 探索 OpenStack 之(8):Neutron 深入探索之 OVS + GRE 之 完整网络流程 篇

    前两篇博文分别研究了Compute节点和Neutron节点内部的网络架构.本文通过一些典型流程案例来分析具体网络流程过程. 0. 环境 同 学习OpenStack之(7):Neutron 深入学习之 ...

  9. openstack网络(neutron)模式之GRE的基本原理

    neutron网络目的是为OpenStack云更灵活的划分网络,在多租户的环境下提供给每个租户独立的网络环境. neutron混合实施了第二层的VLAN和第三层的路由服务,它可为支持的网络提供防火墙, ...

随机推荐

  1. 《Windows编程循序渐进》——基本控件

    按钮控件的介绍 界面设计如下:

  2. java--方法重写与重载

    方法重写 /*方法重写(一般多用在继承上) 定义:它是指子类和父类的关系,子类重写了父类的方法. 两个方法返回值.方法名.参数列表必须完全一致! 出现原因:在Java中,子类可继承父类中的方法,而不需 ...

  3. java-成员方法/变量、类方法/变量等区别

    方法 成员方法 成员方法也叫实例方法.必须先有实例即对象,然后才能通过实例调用该实例方法. 类方法 和类变量一样,有关键字static修饰,可以不用实例,直接用类就可以调用类方法. 变量 成员变量 也 ...

  4. struts2防止重复提交的标签

    struts2 token 使用说明 --------------------------------------------------------------------------------- ...

  5. 认识<meta>

    概要:在查看网页源码的时候,经常发现有<meta>标签存在,于是查了一下它的作用,发现有很多功能.下面就简单的阐述一些常见的功能. 一[什么是<meta>标签] meta,即m ...

  6. java default使用

    我们都知道在Java语言的接口中只能定义方法名,而不能包含方法的具体实现代码.接口中定义的方法必须在接口的非抽象子类中实现.下面就是关于接口的一个例子: public interface Simple ...

  7. Chapter 15_3 使用环境

    创建模块的基本方法的缺点在于,忘记使用local,很容易就污染全局空间. “函数环境”是一种有趣的技术,它能够解决上面的问题.就是让模块的主程序块独占一个环境. 这样不仅它的所有函数可以共享这个tab ...

  8. LeadTools答题卡识别方案

    /// <summary> /// 批改操作 /// </summary> public AnswerCard DoCorrect(Stream AnserCardFile) ...

  9. 屏幕录像专家2014 v0318 免费版

    软件名称: 屏幕录像专家2014软件语言: 简体中文授权方式: 免费试用运行环境: Win8 / Win7 / Vista / WinXP软件大小: 7.9MB图片预览: 软件简介:屏幕录像专家201 ...

  10. matlab mse函数

    mse是检验神经网络算法的误差分析; mse是平均平方误差性能函数,是网络性能函数.平方误差就是指误差的平方.