IPIP Tunnels¶
IPIP tunnels are generic IP-in-IP routing tunnels which encapsulate traffic between a local and remote destination. These can be used on their own, in which case they function similar to unencrypted GIF tunnels on other platforms, or they can act as part of a routed IPsec tunnel to carry traffic encrypted by IPsec.
IPIP tunnels are defined by tunnel ipip <instance>
in config
mode which
enters config-ipip
mode.
IPIP Tunnel Configuration¶
- <instance>:
Instance ID, which sets the resulting interface number. For example, an instance ID of
5
creates an interface namedipip5
.Warning
If this IPIP tunnel will be used by an IPsec tunnel the instance ID of the IPsec entry must match the instance ID of the IPIP tunnel!
- source (ipv4|ipv6) address <local-address>:
The local address to use as the local endpoint for the tunnel. This must either be only IPv4 or IPv6, but can either be an IP address or a hostname.
- destination (ipv4|ipv6) (address|hostname) <remote-address>:
The optional remote address or hostname to use as the external remote endpoint for the tunnel. The address family of the destination must match the address family set in the source
Note
The address family restriction only applies to the outer tunnel endpoints. The addresses on the IPIP interface for the tunnel may be of a different address family.
Defining a destination creates a point-to-point tunnel to a single remote peer.
Omitting the destination endpoint creates a point-to-multipoint tunnel. This mode allows for multiple remote peers to communicate on the same tunnel, such as for remote access IPsec. For uses other than remote access IPsec this requires tunnel next-hop entries (Tunnel Next Hops) for each peer on the tunnel.
- encapsulation <option>:
Fine-tunes the encapsulation behavior of the IPIP tunnel.
- route-table <route-table-name>:
Specifies an alternate routing table for the outer tunnel traffic.
- copy-dscp:
Copy the DSCP value from inner packet header to the outer packet header.
- dscp <uint8>:
Sets an explicit DSCP value for encapsulated packets. The value can be from
0-255
.- set-df:
Sets the IP Do-Not-Fragment bit on encapsulated packets.
After creating the IPIP instance, the new IPIP interface will be available for
use by TNSR which can carry traffic inside the IPIP tunnel. The name of the IPIP
interface is ipip<instance id>
. The IPIP interface can be configured similar
to other interfaces (Configure Interfaces).
IPIP Example¶
This example creates a new IPIP entry with an instance id of 1
and the
source and destination addresses shown:
tnsr(config)# tunnel ipip 1
tnsr(config-ipip)# source ipv4 address 203.0.113.2
tnsr(config-ipip)# destination ipv4 address 203.0.113.25
tnsr(config-ipip)# exit
Now configure the resulting ipip1
interface to carry traffic inside the
tunnel.
tnsr(config)# int ipip1
tnsr(config-interface)# ip address 10.2.125.1/30
tnsr(config-interface)# enable
tnsr(config-interface)# exit
IPIP Status¶
To view a list of current IPIP instances, use show tunnel ipip
:
tnsr(config)# show tunnel ipip
Instance Local Address Remote Address Route Table DSCP DF
-------- -------------- --------------- ----------- ---- --
0 203.0.113.2 203.0.113.25 default 0 N
1 203.0.113.2 203.0.113.14 default 0 N
This command prints a list of all IPIP instances and a summary of their configuration.
IPIP and IPsec¶
IPIP tunnels can be created explicitly as explained here but can also be created implicitly by configuring the local/remote address in IPsec.
When creating an IPIP tunnel explicitly, it must be created before the IPsec tunnel is created.
Either way, when removing an IPIP tunnel associated with an IPsec tunnel, the IPsec tunnel must be removed first:
tnsr(config)# no ipsec tunnel 0
tnsr(config)# no int ipip0
tnsr(config)# no tunnel ipip 0