create vpn tunnel at exist interface

Question

guys. I'm testing our company's firewall product.And there have a problem bothers me. "The firewall" works as bridge mode have eth1 interface.I want to simulate a client remote access "the firewall" use an ipip(or others) tunnel. My question is can I create a tunnel on "the firewall" with an existing interface called "eth1". Because there have some iptables filter setting use eth1. I use this command below but error occured.

    ip tunnel add eth1 mode ipip remote "$IPIPSERVER"
    ip link set dev eth1  up
    ip addr add "$LOCALADDR" peer "$PEERADDR" dev eth1

[root ~]# ip tunnel add eth1 mode ipip remote 2.2.2.2
add tunnel tunl0 failed: File exists

Error maybe because eth1 is already exist I think. I have created a ipip tunnel successfully when using command above with an unused interface name like "vpn_tap".

8: vpn_tap@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480 qdisc noqueue state UNKNOWN qlen 1
    link/ipip 0.0.0.0 peer 2.2.2.2
    inet 172.16.0.1 peer 172.16.0.2/32 scope global vpn_tap
       valid_lft forever preferred_lft forever

But I have to create the tunnel at eth1. And I use device name like "eth1:2".It created successfully.But iptables filter rules don't match "eth1:2" because iptables config like "-A XXX_DEFAULT_INPUT -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT".

Interface at "the firewall" like below if could help.

 [root@beat-box ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: tunl0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0
4: peth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master eth1 state UP qlen 1000
    link/ether 08:00:37:02:01:00 brd ff:ff:ff:ff:ff:ff
6: peth1@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue master eth1 state UP qlen 1000
    link/ether 08:00:37:02:01:01 brd ff:ff:ff:ff:ff:ff
7: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 08:00:37:02:01:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.100/32 scope global eth1:1
       valid_lft forever preferred_lft forever
    inet 10.1.0.2/24 scope global eth1
       valid_lft forever preferred_lft forever

What I want is to create a tunnel at eth1. Make it looks like this:

7: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 08:00:37:02:01:00 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.100/32 scope global eth1:1
       valid_lft forever preferred_lft forever
    inet 10.1.0.2/24 scope global eth1
       valid_lft forever preferred_lft forever
＞  link/ipip 0.0.0.0 peer 2.2.2.2
＞  inet 172.16.0.1 peer 172.16.0.2/32 scope global 
＞  valid_lft forever preferred_lft forever

Thanks a lot.

score 0 · Answer 1 · answered Jul 05 '17 at 09:40

0

The tunnel is always a new interface in the network stack. There are many reasons why it has to work like this.

You need to adapt your firewall setting so that you can work with another interface in this case.

answered Jul 05 '17 at 09:40

Tero Kilkanen

36,796
3
41
63

If I add an IP address to eth1 and create a new interface for tunnel. Can I use bridge or something to pair them together? Make the tunnel looks like working on eth1. – user8252486 Jul 06 '17 at 00:47
If the tunnel is an L2 tunnel, then you can use it as a bridge slave interface with eth1. I don't know if `ipip` tunnel is such a tunnel. – Tero Kilkanen Jul 06 '17 at 14:44
Yes,you are right. Ipip is working on L3 maybe can't do it. I try to use OpenVPN or others tunnel(GRE) to do it. – user8252486 Jul 07 '17 at 06:57
https://openvpn.net/index.php/open-source/documentation/miscellaneous/76-ethernet-bridging.html – user8252486 Jul 07 '17 at 08:51
this site will help. – user8252486 Jul 07 '17 at 08:51

create vpn tunnel at exist interface

1 Answers1