HOWTO setup an IPIP tunnel on Debian
====================================

For this example we have one host with a private 10.0.0./8 network and
another with a private 192.168.23.0/24 network both connected to the
internet.

                Gateway A                        Gateway B
            -----------------                ---------------- 
           |       eth0      |              |    eth1        |
           |    15.11.146.31 |-- internet --| 15.238.7.104   |
           |                 |              |                |
Network A  |eth2             |              |            eth0|   Network B
10.0.0.0 --|.1               |              |              .1|-- 192.168.23
 /8        |       tundev    |     IPIP     |  tundev        |     /24
           |     10.123.23.1 |..............| 192.168.23.2   |
           |         /32     |    tunnel    |    /32         |
            -----------------                ---------------- 


Route Table for Gateway A
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.23.0    *               255.255.255.0   U     0      0        0 tundev
15.11.146.0     *               255.255.255.0   U     0      0        0 eth0
10.0.0.0        *               255.0.0.0       U     0      0        0 eth2
default         15.11.146.1     0.0.0.0         UG    0      0        0 eth0

Route Table for Gateway B
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.23.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
15.238.4.0      0.0.0.0         255.255.252.0   U     0      0        0 eth1
10.0.0.0        0.0.0.0         255.0.0.0       U     0      0        0 tundev
0.0.0.0         15.238.4.1      0.0.0.0         UG    0      0        0 eth1

"ip tunnel" for Gateway A
tundev: ip/ip  remote 15.238.7.104  local any  ttl inherit

"ip tunnel" for Gateway B
tundev: ip/ip  remote 15.11.146.31  local any  ttl inherit 


Notes
=====
* The "interfaces.*" files go in /etc/network on their respective
   machines it allows the tunnel to be cleaning brought up and down
   using "ifup tundev" and "ifdown tundev".

* The "tunnel" script goes on both machines in /etc/network/if-up.d and
   a symlink to it in if-down.d. It is run when ifup/ifdown in order to
   properly adjust the firewall to allow the tunnel packets through and
   disallow them on taking the tunnel down. It allows all traffic to
   and from the tunnel, if you need something different you'll need to
   adjust it.

* For machines on one private network to be able to talk to the other
   private network they either need to be using the gateway or have an
   explict route. In my case some of the machines on the private
   networks are also homed on the internet and us it as their default
   route. In that case I add a net route with,
     Network A: route add -net 192.168.23.0/24 gw 10.0.0.1
     Network B: route add -net 10.0.0.0/8 gw 192.168.23.1

* Both gateways are configured to NAT traffic to the internet(but
   not to the other private network)

* DNS
  - Both private networks have dhcp servers.
  - For our Network A we actually private reverse DNS so the machines on
     Network B are configured to use a nameserver on Network A, and the
     above dhcp server hands out that server

* Why did I pick the addresses I did for either side of the tunnel?
   It doesn't matter what they are, but if they're not in the private
   address space on each side then you end up with additional net
   routes you don't need. I pick those particular addresses because I
   knew they wouldn't ever conflict.

TODO
====
* change the tunnel script to only allow private<=>tundev instead of
  everything. control this with a internal-iface variable in interfaces
* move the tunnel setup into the tunnel script too. control with a
  remote-address variable in interfaces(ajt's idea)

Thanks to ajt for the help.


Matt Taggart <taggart@d.o>
2003-11-01