http://searchenterprisewan.techtarget.com/tip/GRE-tunnel-vs-IPsec-tunnel-What-is-the-difference

Encapsulating a packet for secure transportation on the network can be done using either GRE or IPsec protocols. This tip explains under what circumstances each protocol works best.

 
 Generic Routing Encapsulation (GRE), defined by RFC 2784, is a simple IP packet encapsulation protocol. GRE is...

used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.

 

For example, in Mobile IP, a mobile node registers with a Home Agent. When the mobile node roams to a new network, it registers with a Foreign Agent there. Whenever IP packets addressed to the mobile node are received by the Home Agent, they can be relayed over a GRE tunnel to the Foreign Agent for delivery. It does not matter how the Home Agent and Foreign Agent communicate with each other -- hops in between just pass along the GRE packet. Only the GRE tunnel endpoints -- the two Agents -- actually route the encapsulated IP packet.

The IP Security (IPsec) Encapsulating Security Payload (ESP), defined by RFC 2406, also encapsulates IP packets. However, it does so for a different reason: To secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.

For example, in a site-to-site VPN, a source host in network "A" transmits an IP packet. When that packet reaches the edge of network "A" it hits a VPN gateway. VPN gateway "A" encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of network "B." VPN gateway "B" then decrypts the packet and delivers it to the destination host. Like GRE, it doesn't really matter how the two VPN gateways communicate with each other -- hops in between just pass along the ESP packet. But unlike GRE, someone at those hops could not possibly look at or change the encapsulated IP packet, even if they wanted to. That's because cryptographic algorithms have been applied to scramble the IP packet and detect any modification or replay.

In summary, use GRE where IP tunneling without privacy is required -- it's simpler and thus faster. But, use IPsec ESP where IP tunneling and data privacy are required -- it provides security features that are not even attempted by GRE.

http://www.heiqu.com/show-75082-1.html

http://user.qzone.qq.com/879205487/blog/1306227884

Linux Ip/gre tunnel互通隧道配置

3小时前

  说明:通过ip/gre tunnel能够通过多个tunnel网关将公司内网和机房互通

  例如:

  一、公司:

  UPIP:221.224.0.1

  网关:192.168.1.1/24

  network 公司

  二、机房A:

  UPIP:221.224.1.1

  network 机房A

  网关:10.30.1.1/24

  三、机房B:

  UPIP:221.224.2.1

  网关:172.16.1.1/24

  1、公司网关配置:

  modprobe ipip

  modprobe ip_gre

  #tunnel for 机房A

  ip tunnel add 机房A mode gre remote 221.224.1.1 local 221.224.0.1 ttl 255

  ip link set 机房A up

  ip addr add 192.168.1.1 dev 机房A

  ip route add 10.30.1.0/24 dev 机房A

  #tunnel for 机房B

  ip tunnel add 机房B mode gre remote 221.224.2.1 local 221.224.0.1 ttl 255

  ip link set 机房B up

  ip addr add 192.168.1.1 dev 机房B

  ip route add 172.16.1.0/24 dev 机房B

  2、机房A网关配置:

  ip tunnel add 机房A mode gre remote 221.224.0.1 local 221.224.1.1 ttl 255

  ip link set 机房A up

  ip addr add 10.30.1.1 dev 机房A

  ip route add 192.168.1.0/24 dev 机房A

  3、机房B网关配置:

  ip tunnel add 机房B mode gre remote 221.224.0.1 local 221.224.2.1 ttl 255

  ip link set 机房B up

  ip addr add 172.16.1.1 dev 机房B

  ip route add 192.168.1.0/24 dev 机房B

  ##############################################################################

  Cisco router Linux GRE连接

  本文说明cisco router和Linux 系统做GRE连接。Cisco 为1721。Linux为Centos.

  拓扑如下

  router 和 Linux GRE连接" src="http://s6.sinaimg.cn/middle/68f770d9g93a5abde8e85&690" width=690 height=212>

  Liunx 系统

  1、检查是否加载ip_gre模块

  lsmod|grep ip_gre

  如没有,请加载ip_gre

  insmod /lib/modules/2.6.18-194.3.1.el5/kernel/net/ipv4/ip_gre.ko

  2.新增tunnel, 命名为tunnel0

  [root@localhost ~]# ip tunnel add tunnel0 mode gre remote 192.168.1.1 local 172.16.1.254 ttl 255

  3.激活新增tunnel0,

  [root@localhost ~]# ip link set tunnel0 up mtu 1500

  4.添加tunnel0 IP.

  [root@localhost ~]# ip addr add 10.100.2.2/30 peer 10.100.2.1/30 dev tunnel0

  5.添加从tunnel0 走的路由

  [root@localhost ~]# ip route add 10.10.34.0/24 dev tunnel0

  6.验证

  [root@localhost ~]# ip addr show

  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

  inet 127.0.0.1/8 scope host lo

  inet 10.0.0.254/32 scope global lo

  inet6 ::1/128 scope host

  valid_lft forever preferred_lft forever

  2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:d0:b7:2e:8f:21 brd ff:ff:ff:ff:ff:ff

  inet 192.168.0.1/24 brd 192.168.0.255 scope global eth1

  inet6 fe80::2d0:b7ff:fe2e:8f21/64 scope link

  valid_lft forever preferred_lft forever

  3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:17:31:09:6e:ec brd ff:ff:ff:ff:ff:ff

  inet 172.16.1.254/24 brd 172.16.1.255 scope global eth0

  inet6 fe80::217:31ff:fe09:6eec/64 scope link

  valid_lft forever preferred_lft forever

  4: sit0: <NOARP> mtu 1480 qdisc noop

  link/sit 0.0.0.0 brd 0.0.0.0

  5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

  inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0

  inet6 fe80::200:ff:fe00:0/64 scope link

  valid_lft forever preferred_lft forever

  6: tunl0: <NOARP> mtu 1480 qdisc noop

  link/ipip 0.0.0.0 brd 0.0.0.0

  7: gre0: <NOARP> mtu 1476 qdisc noop

  link/gre 0.0.0.0 brd 0.0.0.0

  8: tunnel0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/gre 172.16.1.254 peer 192.168.1.1

  inet 10.100.2.2 peer 10.100.2.1/30 scope global tunnel0

  [root@localhost ~]# ip link show

  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

  2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:d0:b7:2e:8f:21 brd ff:ff:ff:ff:ff:ff

  3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:17:31:09:6e:ec brd ff:ff:ff:ff:ff:ff

  4: sit0: <NOARP> mtu 1480 qdisc noop

  link/sit 0.0.0.0 brd 0.0.0.0

  5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

  6: tunl0: <NOARP> mtu 1480 qdisc noop

  link/ipip 0.0.0.0 brd 0.0.0.0

  7: gre0: <NOARP> mtu 1476 qdisc noop

  link/gre 0.0.0.0 brd 0.0.0.0

  8: tunnel0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/gre 172.16.1.254 peer 192.168.1.1

  [root@localhost ~]# ip link show

  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue

  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

  2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:d0:b7:2e:8f:21 brd ff:ff:ff:ff:ff:ff

  3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000

  link/ether 00:17:31:09:6e:ec brd ff:ff:ff:ff:ff:ff

  4: sit0: <NOARP> mtu 1480 qdisc noop

  link/sit 0.0.0.0 brd 0.0.0.0

  5: virbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff

  6: tunl0: <NOARP> mtu 1480 qdisc noop

  link/ipip 0.0.0.0 brd 0.0.0.0

  7: gre0: <NOARP> mtu 1476 qdisc noop

  link/gre 0.0.0.0 brd 0.0.0.0

  8: tunnel0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1500 qdisc noqueue

  link/gre 172.16.1.254 peer 192.168.1.1

  [root@localhost ~]# ip tunnel show

  sit0: ipv6/ip remote any local any ttl 64 nopmtudisc

  tunl0: ip/ip remote any local any ttl inherit nopmtudisc

  gre0: gre/ip remote any local any ttl inherit nopmtudisc

  tunnel0: gre/ip remote 192.168.1.1 local 172.16.1.254 ttl 255

  [root@localhost ~]# ip route show

  10.10.34.0/24 dev tunnel0 scope link

  192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.1

  172.16.1.0/24 dev eth0 proto kernel scope link src 172.16.1.254

  192.168.122.0/24 dev virbr0 proto kernel scope link src 192.168.122.1

  [root@localhost ~]# ping 10.10.34.1

  PING 10.10.34.1 (10.10.34.1) 56(84) bytes of data.

  64 bytes from 10.10.34.1: icmp_seq=1 ttl=255 time=6.31 ms

  64 bytes from 10.10.34.1: icmp_seq=2 ttl=255 time=2.47 ms

  64 bytes from 10.10.34.1: icmp_seq=3 ttl=255 time=12.4 ms

  64 bytes from 10.10.34.1: icmp_seq=4 ttl=255 time=11.6 ms

  64 bytes from 10.10.34.1: icmp_seq=5 ttl=255 time=12.5 ms

  --- 10.10.34.1 ping statistics ---

  5 packets transmitted, 5 received, 0% packet loss, time 4002ms

  rtt min/avg/max/mdev = 2.477/9.102/12.578/4.045 ms

  

  Cisco

  Router-11#sh run int tunnel 1

  Building configuration...

  Current configuration : 148 bytes

  !

  interface Tunnel1

  ip address 10.100.2.1 255.255.255.252

  ip tcp adjust-mss 1400

  tunnel source 192.168.1.1

  tunnel destination 172.16.1.254

  end

  ip route 192.168.0.0 255.255.255.0 Tunnel1

  Router-11# traceroute 192.168.0.2

  Type escape sequence to abort.

  Tracing the route to ip-2-0-168-192.xxxx.com (192.168.0.2)

  1 10.100.2.2 [AS 65100] 0 msec

  ns1.xxxx.com (172.16.1.254) [AS 65100] 0 msec *

  可能会遇到MTU问题。需要调整MTUMSS参数

gre tunnel的更多相关文章

  1. [转]深入理解 GRE tunnel

    我以前写过一篇介绍 tunnel 的文章,只是做了大体的介绍.里面多数 tunnel 是很容易理解的,因为它们多是一对一的,换句话说,是直接从一端到另一端.比如 IPv6 over IPv4 的 tu ...

  2. GRE tunnel 2

    1.GRE简介 通用路由封装协议GRE(Generic Routing Encapsulation)可以对某些网络层协议(如IPX.ATM.IPv6.AppleTalk等)的数据报文进行封装,使这些被 ...

  3. gre tunnel搭建

    应用场景: 客户端(client)与服务器A在同一个运营商网络,应用部署在服务器B,服务器A .B之间建立tunnel,A设置dnat,client通过访问A的8000端口来访问服务器B,B返回的响应 ...

  4. 深入理解 GRE tunnel

    深入理解 GRE tunnel 时间 2012-11-08 19:05:22  A Geek's Page 原文  http://wangcong.org/blog/archives/2149 主题  ...

  5. Centos7 GRE Tunnel

    一.关闭防火墙及selinux 二.CentOS7默认不加载gre内核模块,加载gre内核模块 # modprobe ip_gre   临时加载gre模块(重启后失效) # lsmod |grep g ...

  6. Neutron 理解 (3): Open vSwitch + GRE/VxLAN 组网 [Netruon Open vSwitch + GRE/VxLAN Virutal Network]

    学习 Neutron 系列文章: (1)Neutron 所实现的虚拟化网络 (2)Neutron OpenvSwitch + VLAN 虚拟网络 (3)Neutron OpenvSwitch + GR ...

  7. GRE与Vxlan网络详解

    1. GRE 1.1 概念 GRE全称是Generic Routing Encapsulation,是一种协议封装的格式,具体格式内容见:https://tools.ietf.org/html/rfc ...

  8. 探索 OpenStack 之(8):Neutron 深入探索之 OVS + GRE 之 完整网络流程 篇

    前两篇博文分别研究了Compute节点和Neutron节点内部的网络架构.本文通过一些典型流程案例来分析具体网络流程过程. 0. 环境 同 学习OpenStack之(7):Neutron 深入学习之 ...

  9. openstack网络(neutron)模式之GRE的基本原理

    neutron网络目的是为OpenStack云更灵活的划分网络,在多租户的环境下提供给每个租户独立的网络环境. neutron混合实施了第二层的VLAN和第三层的路由服务,它可为支持的网络提供防火墙, ...

随机推荐

  1. ubuntu显卡驱动安装及设置

    转自: Ubuntu 14.04 Nvidia显卡驱动安装及设置   更换主板修复grub 引导后,无法从Nvidia进入系统(光标闪烁), 可能是显卡驱动出了问题. 1. 进入BIOS设置, 从集成 ...

  2. bootstrap复习:全局样式

    一.概览 1.Bootstrap 是移动设备优先的. 2.在移动设备浏览器上,通过为视口(viewport)设置 meta 属性为 user-scalable=no 可以禁用其缩放(zooming)功 ...

  3. Ubuntu 14.04 apt源更新

    # 14.04 下进 my /etc/apt/sources.list /etc/apt/sources.bak vi /etc/apt/sources.list 从以下源中选择一个 源列表 Trus ...

  4. BZOJ3963: [WF2011]MachineWorks

    题目链接:http://www.lydsy.com/JudgeOnline/problem.php?id=3963 CDQ分治加凸包.具体看这篇题解:http://www.acmerblog.com/ ...

  5. 网页SEO内容

    关于网页根目录下的robots.txt文件的部分疑问 robots.txt书写语法:第一条:User-agent,后接搜索引擎的蜘蛛名称第二条:Disallow,填写要拦截的部分经典语法:User-a ...

  6. Objetive-C +load方法研究

    load方法的执行时机           Objetive-C 的runtime会在一个类的所有方法加载到内存中时调用这个类的+load() 方法,因为每个类的方法只是加载一次,所以每个+load( ...

  7. C# 语言规范_版本5.0 (第3章 基本概念)

    1. 基本概念 1.1 应用程序启动 具有入口点 (entry point) 的程序集称为应用程序 (application).应用程序运行时,将创建新的应用程序域 (application doma ...

  8. 2016-02-03 JS正则表达式

    var reg = new RegExp("^(([1-9]{1,2})|100)$"); var strRate = $('#GOODS_SPEC_DEPOSIT_RATE'). ...

  9. C++对象模型笔记之程序设计模型

    C++程序设计模型支持三种程序设计模型 1.程序模型(procedural model) 可以理解为过程化模型,就像C一样 2.抽象数据类型模型(ADT) 数据结构教材里有说过,查了下资料也不是很明确 ...

  10. 27.编写一个Animal类,具有属性:种类;具有功能:吃、睡。定义其子类Fish 和Dog,定义主类E,在其main方法中分别创建其对象并测试对象的特性。

    ///Animal类 package d922A; public class Animal { private String kind; public String getKind() { Syste ...