Solved

Need way for Linux to tunnel route to a Cisco router

Posted on 1998-12-03
11
360 Views
Last Modified: 2010-03-18
Given that my ISP has agreed to let me tunnel my /24 to his network over my cable modem, I need a way to set up a route tunnel between my Linux box (RH 5.2 kernel 2.0.36) and his Cisco (4500 IOS 11.1(5))

I know Linux has tunnels, but I don't know if they can tunnel with a tunnel peer that is the Cisco itself.  If they can, how?  If not, what software solutions do I have?  
He wants to use a Cisco as it is just something that sits inthe rack and won't require tending.  I don't really want to go buy a Cisco 1605-R for each remote site.

I also know that, yes, kernel 2.1.70+ have the GRE code, but I can't find the "rest" of it to set things up.  

How can I get this Cisco-capable IP tunnel up and running between my Linux and his Cisco?
0
Comment
Question by:jantypas
  • 5
  • 5
11 Comments
 
LVL 4

Expert Comment

by:mcdonc
ID: 1587744
You may want to take a look at Aventail VPN servers at http://www.systemec.nl/connectivity/VPN/Aventail/vpn_datasheet.htm

They sell a Linux server component that they claim will handle L2TP (layer 2 tunneling protocol), which Cisco does as well.

However, I'm not sure if I understand your need for a tunnel.  I'm interested in your setup and your purpose, can you explain more?
0
 
LVL 1

Author Comment

by:jantypas
ID: 1587745
Sure, I have a portale /24 route.  My ISP used to route that portable /24 over a traditional PPP link.  However, now the cable company also offers IP.  However, they don't offer multiple addresses.  So, the first ISP and I said "Why not use the cable modem to tunnel th original route"  Effectively, they're still my ISP, but we're using the cable modem as a carrier -- sort of a coax T-1.  BYOC (Bring your own carrier)

Cisco IOS 11.1(5) doesn't support L2TP... (sigh)
0
 
LVL 1

Author Comment

by:jantypas
ID: 1587746
Adjusted points to 500
0
 
LVL 4

Expert Comment

by:mcdonc
ID: 1587747
You say in your original question that you don't want to have to buy Cisco routers for every remote site.  How many remote sites are we talking about here?  You want to bust your portable /24 into multiple subnets and use it across several links, one of which is this broadband connection via cable modem?  Or is it just this one site that you want to give the whole /24 to?

If it's just the one site, I'd have to break down and buy a Cisco 2500-series to interface with his using whatever tunneling features are available and common between the two.

If not:

I don't suppose it would be a workable idea to buy Cobalt Qube or a Corel Netwinder for the ISP and have him rack it up, making it a one-armed router with encapsulation capability via IP-over-IP?  Or even an industrially-cased NT server with PPTP (not that you'd want to manage it remotely...) and NT servers at the remote sites?  Wow, did I just actually suggest that?

And he can't (or doesn't want to) upgrade his router code to support L2TP?  What about just shipping him a 2500-series router with the proper IOS to support L2TP and making IT a one-armed router with encapsulation capability?  Then using the Aventail product (which I can't verify actually works, sorry) at all remote sites.

I'll keep poking around, but you're on the bleeding edge with GRE support in the 2.1x kernels... I even reached into the routing grab-bag and tried to think of a way to support an OSPF virtual link over multiple hops not in an OSPF area, but no can do.

This is a very interesting question.  Thanks.

0
 
LVL 1

Author Comment

by:jantypas
ID: 1587748
Well, I'm starting with the just the one site, but we're looking for a solution that will move beyond just myself -- this is why the rack of routers won't work.  While he likes a hardware solution, the idea of 50-100 250x in rack ins't exactly wonderful either.  He'd like to go to IOS 12 but since this is only a pet project, we're not willing to stop the main router and upgrade code "just to test" just yet.

I'd buy a Cisco, but at $1000 for a dual ethernet version (remember cable and DSL modems typically emit 10BT) per potential customer isn't exactly cost effective.  We're trying to work on the "Bring your own carrier concept".
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 4

Expert Comment

by:mcdonc
ID: 1587749
He wouldn't need 50 - 100 2500-series routers.  He may need one 2500-series router per maybe... 20-30 sites.

Use the existing WAN router(s) (let's call it 10.1.1.1/24) at the ISP and configure them with a static IP route to your /24's (let's say they're 192.168.1.0/24 and 192.168.2.0/24) via a one-armed 2500-series router also at his site (let's say its Ethernet interface is 10.1.1.2/24).  For the purposes of this example, you'd also set up Cisco 2500-series routers at the IP addresses provided by the cable modem ISP (let's say they're 172.16.11.1/16 and 172.16.12.1/16).

On the ISP's WAN router:

ip route 192.168.1.0 255.255.255.0 10.1.1.2
ip route 192.168.2.0 255.255.255.0 10.1.1.2

On the one-armed 2500-series router at the ISP site:

ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip route 192.168.1.0 255.255.255.0 tunnel 0
ip route 192.168.2.0 255.255.255.0 tunnel 1

interface ethernet 0
 ip address 10.1.1.2 255.255.255.0

interface tunnel 0
 ip address 192.168.1.1 255.255.255.0
 tunnel source ethernet 0
 tunnel destination 172.16.11.1
 tunnel mode gre ip

interface tunnel 1
 ip address 192.168.2.1 255.255.255.0
 tunnel source ethernet 0
 tunnel destination 172.16.12.1
 tunnel mode gre ip

At the first remote 2500 with the cablemodem provider's IP:

ip route 0.0.0.0 0.0.0.0 serial 0

interface ethernet 0
 ip address 172.16.11.1 255.255.0.0

interface tunnel 0
 ip address 192.168.1.2 255.255.255.0
 tunnel source ethernet 0
 tunnel destination 10.1.1.2
 tunnel mode gre ip

At the second cablemodem location

ip route 0.0.0.0 0.0.0.0 serial 0

interface ethernet 0
 ip address 172.16.12.1 255.255.0.0

interface tunnel 0
 ip address 192.168.2.2 255.255.255.0
 tunnel source ethernet 0
 tunnel destination 10.1.1.2
 tunnel mode gre ip

You could create one tunnel on the 2500 at the ISP for each remote site.  Remember that the router can tunnel multiple conversations.

He may need one 4000/7000-series per 100 remote sites.  

Please also remember that this idea is not limited to gre encapsulation.  I havent worked with L2TP, but if its set up on a tunnel interface, it would work in exactly the same way... and if so, that Aventail product might work for you.


 
0
 
LVL 1

Author Comment

by:jantypas
ID: 1587750
Am I correct in reading that a 2501 (let us say) can do tunnels.
I was avoiding the use of the 2501 because it had only one Ethernet interface.  Can I, or the ISP, use the 2501 solely as a tunnel machine -- accepting routes (different IP address) on Ethernet 0 and route them back to anther IP range on Ethernet 0?????  Sure, it OUGHT to work, Ethernet doesn't carer... but I never considered using it solely as a tunnel machine.  Obviously, routing and firewall would be done on another box.
0
 
LVL 4

Expert Comment

by:mcdonc
ID: 1587751
Yes.  A router with a single interface in this configuration is called a "one-armed router" or a "router-on-a-stick".  Any Cisco router has this capability.

Though I've never set up a one-armed Cisco router to tunnel to multiple remote sites (I would try it before making a major investment), I'm almost positive it will work.  There's no logical reason for it not to.

And as I said before on the remote side, you don't even really need the Ciscos if L2TP works the way I think it does.  You can use Linux and that Aventail product, perhaps.

0
 
LVL 1

Expert Comment

by:adrianwatkins
ID: 1587752
Certainly one e port would do the job on say a 1601 / 2501 with sub interfaces or secondary interface addresses on the one interface.

so your routing is:

real net -> E0 ->T0 (GRE/L2TP)-> E0.1 -> Cable Modem


0
 
LVL 4

Accepted Solution

by:
mcdonc earned 500 total points
ID: 1587753
Did this answer any of your questions?
0
 
LVL 1

Author Comment

by:jantypas
ID: 1587754
Yes, while not the direction I expected, you are the only one who came even close...   Of course, while this was being worked out, I found a Cisco 1605 for $750 so this may all be mute :-)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now