1 mauro 1.1 <?xml version="1.0" encoding="iso-8859-1"?>
|
2 simone 1.6 <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"
|
3 simone 1.12 "/usr/share/sgml/docbook/xml-dtd-4.1.2/docbookx.dtd" [
4 <!ENTITY bibliography SYSTEM "iproute2tunnel-bib.xml">
|
5 simone 1.14 <!ENTITY ngnetscript SYSTEM "iproute2tunnel-script.xml">
|
6 simone 1.12 ]>
|
7 simone 1.6 <article lang="en">
8 <articleinfo>
9 <title>Configuring tunnels with iproute2</title>
10 <author>
11 <firstname>Simone</firstname>
12 <surname>Piunno</surname>
13 <affiliation>
|
14 mauro 1.13 <orgname>Deep Space 6</orgname>
|
15 simone 1.10 <address><email>simone@deepspace6.net</email></address>
|
16 simone 1.6 </affiliation>
17 </author>
18 </articleinfo>
19 <sect1>
20 <title>iproute2</title>
21 <para>
22 <command>iproute2</command> is a package for advanced network
23 management under linux. In practice, it is composed of a
24 bunch of small utilities to dinamically configure the kernel
25 by means of <interface>rtnetlink sockets</interface> - a modern and
26 powerful interface for the configuration of the networking stack
27 implemented by <author><firstname>Alexey</firstname>
28 <surname>Kuznetsov</surname></author> starting from the
29 2.2 kernel series.
30 </para>
31 <para>
32 The most interesting feature of <command>iproute2</command> is
33 that it replaces with a single integrated and organic command all the
34 functionalities we were used to find in <command>ifconfig</command>,
35 <command>arp</command>, <command>route</command> and
36 <command>iptunnel</command> (and it even adds some more!).
37 simone 1.6 </para>
38 <para>
39 Nowadays <command>iproute2</command> is installed by default on most
40 major distributions, even if their initialization scripts are still built
41 on commands from the old <command>net-tools</command> package (e.g.
42 <command>ifconfig</command> or <command>iptunnel</command> - the latter
43 is actually deprecated). If your distribution doesn't include this
|
44 simone 1.8 important package, you can always download it from
45 <xref linkend="ftpsite"/> and compile it yourself.
|
46 simone 1.6 </para>
47 <para>
48 As the time of this writing, the worst defect of
49 <command>iproute2</command> is a relative lack of documentation,
50 partially compensated by the fact that the syntax of the
51 <command>ip</command> command is very easy and similar to the english
52 language. We believe that people used to <command>ifconfig</command> and
53 <command>route</command> shouldn't encounter any problem using
54 <command>ip</command> and that they will feel at home in a macommander of
55 hours. In this document we will suppose that the reader has already a
56 good knowledge of basic networking concepts and has used
57 <command>ifconfig</command> and <command>route</command> in the past.
58 </para>
59 </sect1>
60 <sect1>
61 <title>Introduction to tunnels</title>
62 <para>
63 Let's imagine two Internet nodes wanting to exchange data traffic over a
64 protocol different from IPv4 or directed to a private LAN using
65 non-globally-valid IP addresses. This problem is typically solved using a
66 virtual point-to-point connection between the two nodes and we call this
67 simone 1.6 configuration a <emphasis>tunnel</emphasis>.
68 </para>
69 <para>
70 You can think to every packet traveling over the network like it was an
71 envelope with a few bits inside and the sender's and receiver's addresses
72 written on. Tunnels simply hide this envelope inside an additional
73 one, with different sender and receiver, effectively diverting the packet's
74 trip. When the packet arrives to the external receiver (the one written on the
75 external envelope), the external envelope is removed and thrown away, so that
76 the packet can continue its travel to the real destinantion.
77 </para>
78 <para>
79 The two nodes putting and removing the additional envelope are called
80 <emphasis>endpoints</emphasis> and need to have a known IPv4 address.
81 This is why tunnels generally don't work when traversing a network
82 address translation (NAT). Moreover, if the tunnel is built throuh a
83 firewall, the latter must be configured ad hoc to permit this kind of
84 traffic.
85 </para>
86 <para>
87 A typical tunnel usage is connecting two IPv6 nodes through an IPv4-only
88 simone 1.6 network. The two nodes can build an IPv6-in-IPv4 tunnel pretending to
89 have a real direct point-to-point IPv6 connection, and this way they can
90 link together two IPv6 islands (6bone works this way, a web of tunnels).
91 Tunnels for IPv6-over-IPv4 transport come in two different flawors:
|
92 simone 1.8 automatic <xref linkend="RFC2373"/> and manually
|
93 simone 1.6 configured. In this document we will talk only of the latter type.
94 </para>
95 </sect1>
96 <sect1>
97 <title>Creating tunnels</title>
98 <para>
99 Creating tunnels with <command>iproute2</command> is very easy. First of
100 all you need a name for your tunnel. If you choose to name it
101 <interface>foo</interface> then you can create the tunnel with the
102 command:
103 </para>
104 <programlisting>ip tunnel add foo mode sit remote 192.168.1.42</programlisting>
105 <para>
106 This way, you created a sit (IPv6-in-IPv4) tunnel with a remote endpoint
107 at the IP address 192.168.1.42. Notice that we have not specified which
108 IP address to use for the local side of the tunnel, which interface, and so on.
109 The result can be viewed with the command <command>ip tunnel show</command>:
110 </para>
111 <programlisting><![CDATA[
|
112 simone 1.11 # ip tunnel show
|
113 mauro 1.1 sit0: ipv6/ip remote any local any ttl 64 nopmtudisc
114 foo: ipv6/ip remote 192.168.1.42 local any ttl inherit
|
115 simone 1.6 ]]></programlisting>
116 <para>
117 Our tunnel is the one in the 2nd row. Now we can also ask a list
118 of all available interfaces, regardless if they are real network
119 adapters or software simulations:
120 </para>
121 <programlisting><![CDATA[
|
122 simone 1.11 # ip link show
|
123 simone 1.6 1: lo: <loopback,up> mtu 16436 qdisc noqueue
124 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
125 2: eth0: <broadcast,multicast,up> mtu 1500 qdisc pfifo_fast qlen 100
126 link/ether 00:48:54:1b:25:30 brd ff:ff:ff:ff:ff:ff
127 4: sit0@none: <noarp> mtu 1480 qdisc noop
128 link/sit 0.0.0.0 brd 0.0.0.0
129 6: foo@none: <pointopoint,noarp> mtu 1480 qdisc noop
130 link/sit 0.0.0.0 peer 192.168.1.42
131 ]]></programlisting>
132 <para>
133 The fact that should get your attention is that while
134 <interface>lo</interface> and <interface>eth0</interface> are marked as
135 being <option>up</option>, our tunnel is not. To double check, the good
136 old <command>ifconfig</command> says only:
137 </para>
138 <programlisting><![CDATA[
|
139 simone 1.11 # ifconfig
|
140 simone 1.6 eth0 Link encap:Ethernet HWaddr 00:48:54:1b:25:30
141 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
142 inet6 addr: fe80::248:54ff:fe1b:2530/10 Scope:Link
143 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
144 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
145 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
146 collisions:0 txqueuelen:100
147 RX bytes:0 (0.0 b) TX bytes:528 (528.0 b)
148 Interrupt:9 Base address:0x5000
149
150 lo Link Encap:Local Loopback
151 inet addr:127.0.0.1 Mask:255.0.0.0
152 inet6 addr: ::1/128 scope:host
153 UP LOOPBACK RUNNING MTU:16436 Metric:1
154 RX packets:35402 errors:0 dropped:0 overruns:0 frame:0
155 TX packets:35402 errors:0 dropped:0 overruns:0 carrier:0
156 collisions:0 txqueuelen:0
157 RX bytes:3433996 (3.2 mb) TX bytes:3433996 (3.2 mb)
158 ]]></programlisting>
159
160 <para>
161 simone 1.6 So we must remember that the <command>ip link</command> command shows all
162 available interfaces, regardless of them being activated or not. To
163 activate <interface>foo</interface>, we use the command:
164 </para>
165 <programlisting>ip link set foo up</programlisting>
166 <para>
167 and to deactivate it:
168 </para>
169 <programlisting>ip link set foo down</programlisting>
170 <para>
171 To completely discard our tunnel we use:
172 </para>
173 <programlisting>ip tunnel del foo</programlisting>
174 </sect1>
175 <sect1>
176 <title>Special tunnels</title>
177 <para>
178 In the previous paragraph, we've seen how to build an IPv6-in-IPv4 tunnel,
179 now we'll examine a few different situations.
180 </para>
181 <sect2>
182 simone 1.6 <title>GRE tunnels</title>
183 <para>
|
184 mauro 1.2 If you don't need IPv6 but for example you want to carry normal
|
185 simone 1.6 IPv4 traffic through a non-cooperating transit network, then you'd
186 better use <parameter>mode gre</parameter> instead of
187 <parameter>mode sit</parameter>.
188 For example:
|
189 mauro 1.2 </para>
|
190 simone 1.6 <programlisting><![CDATA[
|
191 simone 1.11 # ip tunnel add foo4 mode gre remote 192.168.1.42
192 # ip tunnel show
|
193 mauro 1.1 gre0: gre/ip remote any local any ttl inherit nopmtudisc
194 foo4: gre/ip remote 192.168.1.42 local any ttl inherit
|
195 simone 1.11 # ip link show
|
196 simone 1.6 1: lo: <loopback,up> mtu 16436 qdisc noqueue
197 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
198 2: eth0: <broadcast,multicast,up> mtu 1500 qdisc pfifo_fast qlen 100
199 link/ether 00:48:54:1b:25:30 brd ff:ff:ff:ff:ff:ff
200 7: gre0@none: <noarp> mtu 1476 qdisc noop
201 link/gre 0.0.0.0 brd 0.0.0.0
202 9: foo4@none: <pointopoint,noarp> mtu 1476 qdisc noop
203 link/gre 0.0.0.0 peer 192.168.1.42
204 ]]></programlisting>
205 <para>
|
206 simone 1.9 GRE <xref linkend="GRE"/> is a particular tunnelling protocol
|
207 simone 1.8 supported by Cisco routers which is capable to carry different
208 protocols over IPv4.
|
209 simone 1.6 There's another kind of tunnels implemented by linux:
210 <option>ipip</option>. The latter is also useful for IPv4-in-IPv4
211 encapsulation, but it's implemented only by linux and does only
212 unicast IP over IP (so you can't transport for example IPX or
|
213 mauro 1.2 broadcasts). In general, GRE is better.
214 </para>
|
215 simone 1.6 </sect2>
216 <sect2>
217 <title>Explicit local endpoint</title>
218 <para>
|
219 mauro 1.2 Even if the kernel is smart enough to choose for you, it could
|
220 simone 1.6 be a good idea to explicitly force the local IP address and interface
221 we're going to use for tunneling. To do that, we can use the
222 <parameter>local</parameter> and <parameter>dev</parameter> parameters:
|
223 mauro 1.2 </para>
|
224 simone 1.6 <programlisting><![CDATA[
|
225 simone 1.11 # ip tunnel add foo mode sit local 192.168.0.1 remote 192.168.1.42 dev eth0
226 # ip tunnel show
|
227 mauro 1.1 sit0: ipv6/ip remote any local any ttl 64 nopmtudisc
228 foo: ipv6/ip remote 192.168.1.42 local 192.168.0.1 dev eth0 ttl inherit
|
229 simone 1.11 # ip link show
|
230 simone 1.6 1: lo: <loopback,up> mtu 16436 qdisc noqueue
231 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
232 2: eth0: <broadcast,multicast,up> mtu 1500 qdisc pfifo_fast qlen 100
233 link/ether 00:48:54:1b:25:30 brd ff:ff:ff:ff:ff:ff
234 4: sit0@none: <noarp> mtu 1480 qdisc noop
235 link/sit 0.0.0.0 brd 0.0.0.0
236 11: foo@eth0: <pointopoint,noarp> mtu 1480 qdisc noop
237 link/sit 192.168.0.1 peer 192.168.1.42
238 ]]></programlisting>
239 <para>
240 Please notice that now the interface is labeled as
241 <interface>foo@eth0</interface>, to remind us where the tunnel has been
242 explicitly connected.
243 </para>
244 </sect2>
245 <sect2>
246 <title>Time-to-live</title>
247 <para>
248 When using tunnels, creating accidental loops in the network it's easy.
249 To limit the problem, it's fundamental to generate packets with a low
250 TTL value. Initial TTL can be specified by the
251 simone 1.6 <parameter>ttl</parameter> parameter in <command>ip tunnel
252 add</command>. The default value is inherited from the network
|
253 simone 1.8 interface the tunnel is associated to. <xref linkend="IANA"/>
|
254 simone 1.6 suggests using 64 for TTL.
255 </para>
256 </sect2>
257 </sect1>
258 <sect1>
259 <title>Assigning an IP address to the interface</title>
260 <para>
261 Like any other network interface, tunnels can have one or
262 more addresses assigned to them.
263 </para>
264 <sect2>
265 <title>Main address</title>
|
266 mauro 1.2 <para>
267 Assigning the main address is straightforward:
268 </para>
|
269 simone 1.6 <programlisting><![CDATA[
|
270 mauro 1.1 ip addr add 3ffe:9001:210:3::42/64 dev foo
271 ip addr add 192.168.0.2/24 dev foo4
272 ip addr add 10.20.30.40/8 dev eth0
|
273 simone 1.6 ]]></programlisting>
274 <para>
|
275 mauro 1.2 The number immediately following the slash is to suggest to the
|
276 simone 1.6 kernel the network prefix we prefer, useful to automatically compute
277 broadcast address and netmask on IPv4 LANs (this is called CIDR
278 notation). However, tunnels are point-to-point interfaces and this
279 number is then ignored.
|
280 mauro 1.2 </para>
281 <para>
282 Note: to be able to assign an IP address to an interface, first
|
283 simone 1.6 you need to activate the interface using:
|
284 mauro 1.2 </para>
|
285 simone 1.6 <programlisting>ip link set interfacename up</programlisting>
|
286 mauro 1.2 <para>
287 To remove an address from an interface, you can obviously use
|
288 simone 1.6 <command>del</command> instead of <command>add</command>:
|
289 mauro 1.2 </para>
|
290 simone 1.6 <programlisting><![CDATA[
|
291 mauro 1.1 ip addr del 3ffe:9001:210:3::42/64 dev foo
292 ip addr del 192.168.0.2/24 dev foo4
|
293 simone 1.6 ]]></programlisting>
|
294 mauro 1.2 <para>
295 We can even ask for a list of all the IP addresses in use on our server:
296 </para>
|
297 simone 1.6 <programlisting><![CDATA[
|
298 simone 1.11 # ip addr show
|
299 simone 1.6 1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
|
300 mauro 1.1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
301 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
302 inet6 ::1/128 scope host
|
303 simone 1.6 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
|
304 mauro 1.1 link/ether 00:48:54:1b:25:30 brd ff:ff:ff:ff:ff:ff
305 inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
306 inet6 fe80::248:54ff:fe1b:2530/10 scope link
|
307 simone 1.6 4: sit0@NONE: <NOARP> mtu 1480 qdisc noop
|
308 mauro 1.1 link/sit 0.0.0.0 brd 0.0.0.0
|
309 simone 1.6 5: foo@NONE: <POINTOPOINT,NOARP> mtu 1480 qdisc noop
|
310 mauro 1.1 link/sit 0.0.0.0 peer 192.168.1.42
311 inet6 3ffe:9001:210:3::42/64 scope global
312 inet6 fe80::c0a8:1/10 scope link
|
313 simone 1.6 ]]></programlisting>
314 </sect2>
315 <sect2>
316 <title>Aliasing</title>
317 <para>
318 When using multiple addresses on a single interface, people used to
319 <command>ifconfig</command> will be surprised noting that multiple
320 <command>ip addr add</command> commands do not generate fictitious
321 interfaces like <interface>eth0:1</interface>,
322 <interface>eth0:2</interface> and so on. This is a legacy naming
323 scheme coming from the 2.0 kernel version and nowadays no more
324 mandated. For example:
|
325 mauro 1.2 </para>
|
326 simone 1.6 <programlisting><![CDATA[
|
327 simone 1.11 # ip addr add 192.168.0.11/24 dev eth0
328 # ip addr show eth0
|
329 simone 1.6 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
|
330 mauro 1.1 link/ether 00:48:54:1b:25:30 brd ff:ff:ff:ff:ff:ff
331 inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
332 inet 192.168.0.11/24 scope global secondary eth0
333 inet6 fe80::248:54ff:fe1b:2530/10 scope link
|
334 simone 1.11 # ifconfig
|
335 mauro 1.1 eth0 Link encap:Ethernet HWaddr 00:48:54:1B:25:30
336 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
337 inet6 addr: fe80::248:54ff:fe1b:2530/10 Scope:Link
338 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
339 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
340 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
341 collisions:0 txqueuelen:100
342 RX bytes:0 (0.0 b) TX bytes:528 (528.0 b)
343 Interrupt:9 Base address:0x5000
344
345 lo Link encap:Local Loopback
346 inet addr:127.0.0.1 Mask:255.0.0.0
347 inet6 addr: ::1/128 Scope:Host
348 UP LOOPBACK RUNNING MTU:16436 Metric:1
349 RX packets:34732 errors:0 dropped:0 overruns:0 frame:0
350 TX packets:34732 errors:0 dropped:0 overruns:0 carrier:0
351 collisions:0 txqueuelen:0
352 RX bytes:3386912 (3.2 Mb) TX bytes:3386912 (3.2 Mb)
353
354 foo Link encap:IPv6-in-IPv4
355 inet6 addr: 3ffe:9001:210:3::42/64 Scope:Global
356 mauro 1.1 inet6 addr: fe80::c0a8:1/10 Scope:Link
357 UP POINTOPOINT RUNNING NOARP MTU:1480 Metric:1
358 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
359 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
360 collisions:0 txqueuelen:0
361 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
|
362 simone 1.6 ]]></programlisting>
|
363 mauro 1.2 <para>
364 Our addictional IP address is reported by <command>ip addr show</command>
|
365 simone 1.6 and works, but <command>ifconfig</command> doesn't even know of its existence!
366 To solve the problem we can use the <parameter>label</parameter> parameter:
|
367 mauro 1.2 </para>
|
368 simone 1.6 <programlisting><![CDATA[
|
369 simone 1.11 # ip addr add 192.168.0.11/24 label eth0:1 dev eth0
370 # ip addr show eth0
|
371 simone 1.6 2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
|
372 mauro 1.1 link/ether 00:48:54:1b:25:30 brd ff:ff:ff:ff:ff:ff
373 inet 192.168.0.1/24 brd 192.168.0.255 scope global eth0
374 inet 192.168.0.11/24 scope global secondary eth0:1
375 inet6 fe80::248:54ff:fe1b:2530/10 scope link
|
376 simone 1.11 # ifconfig
|
377 mauro 1.1 eth0 Link encap:Ethernet HWaddr 00:48:54:1B:25:30
378 inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
379 inet6 addr: fe80::248:54ff:fe1b:2530/10 Scope:Link
380 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
381 RX packets:0 errors:0 dropped:0 overruns:0 frame:0
382 TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
383 collisions:0 txqueuelen:100
384 RX bytes:0 (0.0 b) TX bytes:528 (528.0 b)
385 Interrupt:9 Base address:0x5000
386
387 eth0:1 Link encap:Ethernet HWaddr 00:48:54:1B:25:30
388 inet addr:192.168.0.11 Bcast:0.0.0.0 Mask:255.255.255.0
389 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
390 Interrupt:9 Base address:0x5000
|
391 simone 1.6 ]]></programlisting>
|
392 mauro 1.2 <para>
393 Notice that we can choose any arbitrary string as the label.
394 We're not forced to use the 2.0 naming scheme; we must comply
395 to it only if we care having backward compatibility with
|
396 simone 1.6 <command>ifconfig</command>.
|
397 mauro 1.2 </para>
|
398 simone 1.6 </sect2>
399 <sect2>
400 <title>Which IP for the tunnel</title>
|
401 mauro 1.2 <para>
402 Choosing a global/public IP address (respectively an IPv6
403 address for SIT/IPv6-in-IPv4 tunnels and an IPv4 address for
404 GRE/IPv4-in-IPv4 tunnels) for the local endpoint of the
405 tunnel is probably the best thing we can do when our computer
406 is a single host and not a router providing IPv6 connectivity
407 to a whole LAN.
408 </para>
409 <para>
410 Instead, if we're configuring a router, we'd better use
411 a link-local address for SIT/IPv6-in-IPv4 tunnels (in IPv6
412 link-local addresses are assigned automatically by means of
413 stateless address autoconfiguration or manually configured)
414 and a private address for GRE/IPv4-in-IPv4 tunnels (IPv4 has
415 no link-local addresses). The valid address will then be
416 only on eth0 (or the interface on the LAN side).
417 Notice that in this configuration you need to activate
418 forwarding among interfaces, using these commands:
419 </para>
|
420 simone 1.6 <programlisting><![CDATA[
|
421 mauro 1.1 sysctl -w net.ipv4.conf.all.forwarding=1 # for GRE (IPv4-in-IPv4)
422 sysctl -w net.ipv6.conf.all.forwarding=1 # for SIT (IPv6-in-IPv4)
|
423 simone 1.6 ]]></programlisting>
|
424 mauro 1.2 <para>
|
425 simone 1.4 For IPv4 you can even decide to enable forwarding only between a
|
426 mauro 1.2 couple of interfaces, in this case you could use these commands:
427 </para>
|
428 simone 1.6 <programlisting><![CDATA[
|
429 simone 1.4 sysctl -w net.ipv4.conf.eth0.forwarding=1
430 sysctl -w net.ipv4.conf.pippo.forwarding=1
|
431 simone 1.6 ]]></programlisting>
432 <warning>
433 <para>
434 meaning of this switch is different for IPv6 and doesn't work as
435 expected, see kernel documentation for more information.
436 </para>
437 </warning>
438 </sect2>
439 </sect1>
440
441 <sect1>
442 <title>Routing</title>
443 <para>
444 Now that our tunnel is configured, we have to specify which traffic
445 will be directed through it. For IPv6 the most common choice is the
446 following:
447 </para>
448 <programlisting>ip route add 2000::/3 dev foo</programlisting>
449 <para>
450 This way all IPv6 traffic going to addresses starting with 3 bits
451 equal to 001 (that is, all global unicast IPv6 address space) will be
452 simone 1.6 directed to the <interface>foo</interface> interface. This is only one
453 8th of the available IPv6 address space, but you are guaranteed that
454 every possible remote host will be in this range.
455 </para>
456 <para>
457 We can see the IPv4 routing table this way:
458 </para>
459 <programlisting><![CDATA[
|
460 simone 1.11 # ip route
|
461 mauro 1.1 192.168.0.0/24 dev eth0 scope link
462 127.0.0.0/8 dev lo scope link
|
463 simone 1.6 ]]></programlisting>
464 <para>
465 and the IPv6 routing table this way:
466 </para>
467 <programlisting><![CDATA[
|
468 simone 1.11 # ip -6 route
|
469 mauro 1.1 2000::/3 dev foo proto kernel metric 256 mtu 1480 advmss 1420
470 fe80::/10 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440
471 fe80::/10 dev foo proto kernel metric 256 mtu 1480 advmss 1420
472 ff00::/8 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440
473 ff00::/8 dev foo proto kernel metric 256 mtu 1480 advmss 1420
474 default dev eth0 proto kernel metric 256 mtu 1500 advmss 1440
475 unreachable default dev lo metric -1 error -101
|
476 simone 1.6 ]]></programlisting>
477 <para>
478 If you need to specify a gateway (this is not for tunnels) then
479 you can add the <parameter>via</parameter> parameter, for example:
480 </para>
481 <programlisting>ip route add 192.168.1.0/24 via 192.168.0.254 dev eth0</programlisting>
482 <para>
483 To remove a route you can obviously use <command>ip route del</command>
484 but be careful: if you write <command>ip route del default</command> you're
485 removing the default IPv4 route, not the IPv6 one! To remove the IPv6
486 default destination you need to use <command>ip -6 route del default</command>.
487 </para>
488 </sect1>
489 <sect1>
490 <title>Practical applications</title>
491 <sect2>
492 <title>A complete example</title>
493 <para>
|
494 mauro 1.2 This is a typical IPv6 tunnel for 6bone:
495 </para>
|
496 simone 1.6 <programlisting><![CDATA[
|
497 mauro 1.1 ip tunnel add $TUNNEL mode sit local any remote $V4_REMOTEADDR ttl 64
498 ip link set $TUNNEL up
499 ip addr add $V6_LOCALADDR dev $TUNNEL
500 ip route add 2000::/3 dev $TUNNEL
|
501 simone 1.6 ]]></programlisting>
502 <para>
503 where <parameter>$TUNNEL</parameter> is an arbitrary name assigned to
504 the tunnel, <parameter>$V4_REMOTEADDR</parameter> is the IPv4 address
505 of the remote end of the tunnel and
506 <parameter>$V6_LOCALADDR</parameter> is the IPv6 local address
507 assigned to our host. We've used the <option>any</option> value for
508 the <parameter>local</parameter> endpoint address because this way we
509 can handle a dynamic IPv4 address (e.g. assigned by a dialup
510 connection to the ISP). Obviously we need to inform our tunnel
511 broker when our address changes but this is out of the scope of this
512 writing, also because there's no general standard procedure.
|
513 mauro 1.2 </para>
|
514 simone 1.6 <para>
|
515 mauro 1.2 To shut down the tunnel:
516 </para>
|
517 simone 1.6 <programlisting>ip tunnel del $TUNNEL</programlisting>
518 <para>
|
519 mauro 1.2 also automatically removes the routing entry and the address.
520 </para>
|
521 simone 1.6 </sect2>
522 <sect2>
523 <title>Comfort</title>
524 <para>
525 Now, after we made sure everything works, we can use previous commands
526 in a script called <filename>ip-up.local</filename> and saved in
527 <filename>/etc/ppp/</filename>. This way, those commands will be
528 automatically executed <emphasis>everytime we connect PPP</emphasis>.
529 If we wanted to also automatically delete the tunnel upon PPP
530 disconnection, we can create another script in the same directory,
531 and call it <filename>ip-down.local</filename>.
532 </para>
533 <para>
|
534 simone 1.8 As an example, if our tunnel broker is <xref linkend="NGNET"/>, we
535 could use this script as <filename>ip-up.local</filename>:
|
536 simone 1.6 </para>
|
537 simone 1.14 &ngnetscript;
|
538 simone 1.6 <para>
539 <filename>ip-down.local</filename> could be:
540 </para>
541 <programlisting><![CDATA[
542 #!/bin/bash
543 /sbin/ip tunnel del ngnet
544 ]]></programlisting>
545 </sect2>
546 </sect1>
547 <sect1>
548 <title>Thanks</title>
549 <para>
550 Thank to Giacomo Piva for pppd and NGNET integration idea.
551 </para>
552 </sect1>
553 <bibliography>
|
554 simone 1.7 <title>References</title>
|
555 simone 1.6 <para>
|
556 simone 1.12 Here are some useful links:
|
557 simone 1.6 </para>
|
558 simone 1.12 &bibliography;
|
559 simone 1.6 </bibliography>
|
560 mauro 1.2 </article>
|
561 simone 1.6 <!--
562 vim: et ts=2 sw=2
563 -->
|
Return to
iproute2tunnel-en.xml
CVS log
Up to [DeepSpace6] / website / docs