Westermo RedFox Series User Manual

Westermo OS Management Guide

Version 4.17.0-0

the most common use is to encapsulate IP packets, creating an IP over IP tunnel.
WeOS only supports the encapsulation of IP packets in GRE.

GRE works by adding a special (GRE) header in front of the encapsulated packet
containing a checksum

1

, payload type (0x800 for IP) and some flags. The GRE

header is preceded by an outer IP header used to route the packet between the
tunnelling endpoints.

The GRE protocol is stateless. It does not provide any security features at all; it
lacks encryption and authentication, and it does not detect lost packets, replay
attacks or other spoof attacks.

You can add security, if needed, by using GRE within an IPsec VPN tunnel (

chap-

ter 35

) or by using some kind of secure protocol (such as HTTPS or SSH) for the

data routed through the tunnel.

GRE tunnels are configured in two steps. First you need to define the tunnel
with its endpoints and other related settings (described further

sections 34.1.2

-

34.1.4

). By configuring the tunnel, a new (GRE) network interface is created

automatically. The second step is to configure the created GRE interface. See

chapter 19

for information about configuring interfaces, including the GRE inter-

faces.

34.1.2

Defining GRE tunnel endpoints

IP−Src

Outer IP Hdr

IP−Dst

TTL ...

GRE Hdr

...

IP−Dst IP−Src TTL

...

Data

...

GRE Payload (Inner IP packet)

Tunnel Endpoint
IP Address e.f.g.h

Tunnel Endpoint
IP Address a.b.c.d

Local

Subnet−A

Alice

Local

Subnet−B

Bob

Internet

Figure 34.1: GRE tunnel example.

1

The GRE checksum is optional. WeOS does not include a checksum in transmitted GRE packets

➞ 2015 Westermo Teleindustri AB

779