IPIP Tunnels

IPIP tunnels are generic IP-in-IP routing tunnels which encapsulate traffic between a local and remote destination. These can be used on their own, in which case they function similar to unencrypted GIF tunnels on other platforms, or they can act as part of a routed IPsec tunnel to carry traffic encrypted by IPsec.

IPIP tunnels are defined by tunnel ipip <instance> in config mode which enters config-ipip mode.

IPIP Tunnel Configuration


Instance ID, which sets the resulting interface number. For example, an instance ID of 5 creates an interface named ipip5.


If this IPIP tunnel will be used by an IPsec tunnel the instance ID of the IPsec entry must match the instance ID of the IPIP tunnel!

source (ipv4|ipv6) address <local-address>

The local address to use as the local endpoint for the tunnel. This must either be only IPv4 or IPv6, but can either be an IP address or a hostname.

destination (ipv4|ipv6) (address|hostname) <remote-address>

The optional remote address or hostname to use as the external remote endpoint for the tunnel. The address family of the destination must match the address family set in the source


The address family restriction only applies to the outer tunnel endpoints. The addresses on the IPIP interface for the tunnel may be of a different address family.

Defining a destination creates a point-to-point tunnel to a single remote peer.

Omitting the destination endpoint creates a point-to-multipoint tunnel. This mode allows for multiple remote peers to communicate on the same tunnel, such as for remote access IPsec. For uses other than remote access IPsec this requires tunnel next-hop entries (Tunnel Next Hops) for each peer on the tunnel.

encapsulation <option>

Fine-tunes the encapsulation behavior of the IPIP tunnel.

route-table <route-table-name>

Specifies an alternate routing table for the outer tunnel traffic.


Copy the DSCP value from inner packet header to the outer packet header.

dscp <uint8>

Sets an explicit DSCP value for encapsulated packets. The value can be from 0-255.


Sets the IP Do-Not-Fragment bit on encapsulated packets.

After creating the IPIP instance, the new IPIP interface will be available for use by TNSR which can carry traffic inside the IPIP tunnel. The name of the IPIP interface is ipip<instance id>. The IPIP interface can be configured similar to other interfaces (Configure Interfaces).

IPIP Example

This example creates a new IPIP entry with an instance id of 1 and the source and destination addresses shown:

tnsr(config)# tunnel ipip 1
tnsr(config-ipip)# source ipv4 address
tnsr(config-ipip)# destination ipv4 address
tnsr(config-ipip)# exit

Now configure the resulting ipip1 interface to carry traffic inside the tunnel.

tnsr(config)# int ipip1
tnsr(config-interface)# ip address
tnsr(config-interface)# enable
tnsr(config-interface)# exit

IPIP Status

To view a list of current IPIP instances, use show tunnel ipip:

tnsr(config)# show tunnel ipip
Instance  Local Address  Remote Address Route Table DSCP DF
-------- -------------- --------------- ----------- ---- --
       0  ipv4-VRF:0    0 N
       1  ipv4-VRF:0    0 N

This command prints a list of all IPIP instances and a summary of their configuration.

IPIP and IPsec

IPIP tunnels can be created explicitly as explained here but can also be created implicitly by configuring the local/remote address in IPsec.

When creating an IPIP tunnel explicitly, it must be created before the IPsec tunnel is created.

Either way, when removing an IPIP tunnel associated with an IPsec tunnel, the IPsec tunnel must be removed first:

tnsr(config)# no ipsec tunnel 0
tnsr(config)# no int ipip0
tnsr(config)# no tunnel ipip 0