I have a few working IPTunnels (gre mode), and they work great with no errors or problems. In all the cases, I'm building the tunnel between two linux boxes, each with an "inside" interface (running private 10. Ip addressing), and an outside interface (thats reachable on the internet. I don't consider any of the traffic to be sensitive so there is currently no encryption. However, I am having trouble understanding a couple points. I'm setting it up Using the commands (spaced out for clarity): insmod ip_gre then iptunnel add tunnel1 mode gre remote 2.2.2.2 (the real "outside" ip of the other end of the tunnel connection) local 4.4.4.4 (I don't currently specify this) then ifconfig tunnel1 172.16.1.1 (this IP is not related to any other hosts or subnets or connections to the network, its just an arbitrary IP picked out of a hat) then appropriate routes to route the tunnel traffic (all the "inside" networks are running 10.x.1.x/24 subnets, where the 2nd octet is actually a site number) so route add -net 10.x.1.0/24 tunnel1 Now, I have the following questions... In my setup, I am NOT specifying the local ADDR paramater, and in my testing, no matter what I set it to, the tunnel still works. I beleive that the suggestion is to set it to the real IP of the box, however, it doesn't seem to matter if I set it to that IP, a fake IP, or just not specify it, I don't see ANY difference in the tunnel. Can someone clarify this point for me? My 2nd question is when I set the IP of the tunnel interfact (ifconfig tunnel1), I am currently using a private IP thats NOT on the same subnet as the traffic I am routing over the tunnel. I've tried setting that IP to the "outside" interface that the tunnel traffic would actually pass through, and that also seems to work. The side effect from setting it to an unrelated private IP is that if I attempt to get to a host on the other side of the tunnel (from the "router" box), it uses that interface IP rather than the inside address of the box, which again seems logical, but requires me to add more routes to compensate for this. My question here is, is there any problem with setting the IP to the SAME as the inside address of the box? In my testing I don't seem to see a problem (except maybe a few extra ms on ping times, but that may be coincedental), but it would seem there has to be a "gotcha" on this. Can someone help clarify this for me? Is it best to set it to an unrelated IP, the inside IP, or even the outside IP? I also question if it is possible for the "tunnel" interface to be "unnumbered". In my testing, the tunnel just doesn't work until I assign it an IP address via ifconfig (is ifconfig what actually establishes the "virtual interface"), and it doesn't seem to matter what IP I assign to it, it still works. Would setting the IP to the same as the inside interface be the equivalent of "unnumbered"? or is it deeper than this? It doesn't seem to matter what IP I set it to, as long as I have the routing built for the "inside" addresses. The only place I can see that the IP matters, is for traffic that would actually originate off that linux box, and then, thats easily fixed by adding the appropriate route on the opposite side to match that IP. - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
