IPIP tunnels are generic IP-in-IP routing tunnels which encapsulate traffic between a local and remote destination. These can be used on their own, in which case they function similar to unencrypted GIF tunnels on other platforms, or they can act as part of a routed IPsec tunnel to carry traffic encrypted by IPsec.
IPIP tunnels are defined by
tunnel ipip <instance> in
config mode which
IPIP Tunnel Configuration¶
Instance ID, which sets the resulting interface number. For example, an instance ID of
5creates an interface named
If this IPIP tunnel will be used by an IPsec tunnel the instance ID of the IPsec entry must match the instance ID of the IPIP tunnel!
- source (ipv4|ipv6) address <local-address>
The local address to use as the local endpoint for the tunnel. This must either be only IPv4 or IPv6, but can either be an IP address or a hostname.
- destination (ipv4|ipv6) (address|hostname) <remote-address>
The optional remote address or hostname to use as the external remote endpoint for the tunnel. The address family of the destination must match the address family set in the source
The address family restriction only applies to the outer tunnel endpoints. The addresses on the IPIP interface for the tunnel may be of a different address family.
Defining a destination creates a point-to-point tunnel to a single remote peer.
Omitting the destination endpoint creates a point-to-multipoint tunnel. This mode allows for multiple remote peers to communicate on the same tunnel, but it requires tunnel next-hop entries (Tunnel Next Hops) for each peer on the tunnel.
- encapsulation <option>
Fine-tunes the encapsulation behavior of the IPIP tunnel.
- route-table <route-table-name>
Specifies an alternate routing table for the outer tunnel traffic.
Copy the DSCP value from inner packet header to the outer packet header.
- dscp <uint8>
Sets an explicit DSCP value for encapsulated packets. The value can be from
Sets the IP Do-Not-Fragment bit on encapsulated packets.
After creating the IPIP instance, the new IPIP interface will be available for
use by TNSR which can carry traffic inside the IPIP tunnel. The name of the IPIP
ipip<instance id>. The IPIP interface can be configured similar
to other interfaces (Configure Interfaces).
This example creates a new IPIP entry with an instance id of
1 and the
source and destination addresses shown:
tnsr(config)# tunnel ipip 1 tnsr(config-ipip)# source ipv4 address 203.0.113.2 tnsr(config-ipip)# destination ipv4 address 203.0.113.25 tnsr(config-ipip)# exit
Now configure the resulting
ipip1 interface to carry traffic inside the
tnsr(config)# int ipip1 tnsr(config-interface)# ip address 10.2.125.1/30 tnsr(config-interface)# enable tnsr(config-interface)# exit
To view a list of current IPIP instances, use
show tunnel ipip:
tnsr(config)# show tunnel ipip Instance Local Address Remote Address Route Table DSCP DF -------- -------------- --------------- ----------- ---- -- 0 203.0.113.2 203.0.113.25 ipv4-VRF:0 0 N 1 203.0.113.2 203.0.113.14 ipv4-VRF:0 0 N
This command prints a list of all IPIP instances and a summary of their configuration.
IPIP and IPsec¶
IPIP tunnels can be created explicitly as explained here but can also be created implicitly by configuring the local/remote address in IPsec.
When creating an IPIP tunnel explicitly, it must be created before the IPsec tunnel is created.
Either way, when removing an IPIP tunnel associated with an IPsec tunnel, the IPsec tunnel must be removed first:
tnsr(config)# no ipsec tunnel 0 tnsr(config)# no int ipip0 tnsr(config)# no tunnel ipip 0