[Top] [Prev] [Next] [Bottom]

Using IP Tunnels

This documents describes the IP Tunnel feature, which is part of OpenROUTE Networks Virtual Private Network (VPN) software.

Introducing IP Tunnels

Virtual Private Networks (VPNs) securely connect sites over a public network, such as the Internet. VPNs provide data encryption to guarantee the privacy of information while it passes over the public network. They also provide authentication to make sure traffic is not forged or tampered with.

With VPNs, remote offices, telecommuters, and travelling employees can connect to corporate networks over the public Internet at a greatly reduced cost over private, point-to-point leased lines, long-distance dialup connections, or Frame Relay connections.

The OpenROUTE Networks VPN implementation uses IP Tunnels to transport data and SKIP (Simple Key-Management for Internet Protocols) to secure the data. This document describes IP Tunnels.

Using SKIP explains how SKIP works, how to set up SKIP, and defines the SKIP commands.
Using IP Tunnels With SKIP gives examples of how to assemble several types of VPNs using IP Tunnels and SKIP.
Using VPNs With NAT gives examples of how to set up VPNs using IP Tunnels with SKIP when Network Address Translation (NAT) is also running.

Terminology

This document uses the following terminology.

payload

The original IP packet being sent using the IP Tunnel.

tunnel endpoint

The router, PC, or server that processes IP packets before sending them into the tunnel or after receiving them from the tunnel.

payload	The original IP packet being sent using the IP Tunnel.
tunnel endpoint	The router, PC, or server that processes IP packets before sending them into the tunnel or after receiving them from the tunnel.

Figure 1 shows an IP Tunnel configuration that has three tunnel endpoints. The tunnel endpoints encapsulate IP data in an IP header before sending the data through the tunnel. When a tunnel endpoint receives traffic from the tunnel, it removes the IP header before forwarding the packet.

Figure 1 Simple IP Tunnel Configuration

IP Tunnel Features and Benefits

IP Tunnels have several major features and benefits:

IP tunnels work with SKIP encryption to let you securely send business data over the public Internet without that data being visible. Using the public Internet for business data can result in a great cost savings. For example, a remote user who needs to connect to a central site can securely connect to that site by placing a local call to their nearest Internet Service Provider (ISP).
The tunnel can join two networks that use unregistered IP addresses over a public IP network. This feature saves you the time and expense of allocating registered IP addresses.
If you are running SKIP with your IP tunnel, you can increase the speed of sending your data over the Internet by compressing your data using the STAC-LZS algorithm. See set compression.
The tunnel topology is equivalent to a single point-to-point link between the tunnel endpoints, independent of the actual number of hops within the tunnel. Routing protocols can run across the tunnel without knowing the topology of the public network that carries the tunnel.
The tunnel transparently performs special processing, such as IP security.
If the router cannot reach the remote tunnel endpoint, the tunnel software notifies the local network.
The tunnel dynamically determines the MTU (maximum transfer unit) size using MTU discovery. MTU discovery lets the tunnel determine if a packet needs to be fragmented before it sends the packet, ensuring that the tunnel does not encapsulate fragments unnecessarily.

RFCs Supported

The OpenROUTE Networks implementation of IP Tunnels complies with the following RFCs:

RFC 1191, Path MTU Discovery.
RFC 2003, IP Encapsulation in IP.

How IP Tunnels Work

The IP Tunnel is an interface in the router that accepts the following types of data:

IP
SKIP (Simple Key-Management for Internet Protocols)

IP Tunnels encapsulate IP frames within another IP frame. In the outer frame, the tunnel adds an IP header that addresses the frame to the remote tunnel endpoint. The tunnel then uses normal IP routing to send the entire frame to the remote tunnel endpoint.

When the remote tunnel endpoint receives the IP frame, it strips the outer IP header and forwards the frame to the local network.

The tunnel does not add a header to SKIP packets because SKIP covers the outer IP header with an authentication signature.

IP Addressing

There are four types of IP addresses associated with IP Tunnels, interface, source, destination, and payload.

Tunnel source and destination addresses are usually symmetric. My source address is usually your destination address and vice versa. However, this is not required. The router can use any of its publicly reachable interface addresses as the destination address of tunnels that end at that router. The source address that the router uses to send packets into the tunnel may or may not be the same as that destination address.

The following sections describe each type of IP tunnel address.

Interface Addresses

For each remote tunnel endpoint, you add a tunnel interface on the router and assign an IP address to the interface using the IP configuration. Typically, tunnel interfaces use unnumbered IP addresses. Tunnel interfaces can use numbered IP addresses, but you must assign addresses from the same subnet at each end of the tunnel, the same way you would on a point-to-point link.

IP Addressing on Interfaces That Connect to a SunScreen SKIP for Windows Client

If the tunnel interface connects to a remote SunScreen SKIP for Windows client, and the router does not know the client's IP address, you can set up the router to dynamically assign the client's IP address to the tunnel interface. This feature is a variation of dynamic IP addressing used with PPP. With SKIP, the tunnel interface is assigned the address of the remote SKIP client, causing the router to send packets to that client over the tunnel rather than sending those packets over the Internet.

Note: This feature is only supported if the local SKIP router is also the gateway to the Internet. This restriction is required because SunScreen SKIP for Windows uses the same IP address on the tunnel endpoint and the end system. A combined VPN and Internet gateway router can address this ambiguity, but two routers that are separate VPN and Internet gateways cannot resolve it. You would have to use different routers to send data to the remote client depending on whether SKIP already processed the data in the packet. Standard IP routing tables cannot address this ambiguity.

You select dynamic assignment of the remote SKIP client's IP address to a tunnel interface when you add an address for that interface. To do so, enter an address of 0.0.0.n where n is the interface number. For example, if interface 4 is an IP tunnel with SKIP enabled, enter

IP config>ADD ADDRESS
Which net is this address for [0]? 4
New address [0.0.0.0]? 0.0.0.4
Is this interface a tunnel to a single SKIP PC or workstation(Yes or [No]): YES

Answering Yes instructs the router to automatically learn the address of the SKIP client. You do not have to enter routing table entries.

The router assigns a network mask to the address. The mask distinguishes this type of dynamically assigned address, where the interface assumes the address of the peer, from a PPP-style assignment, where the peer assigns an address. You can display the mask using the list address command at the IP Config> prompt.

IP config>LIST ADDRESS

IP addresses for each interface:
intf 0 192.168.4.31 255.255.255.0 IP address is: Numbered
intf 1 192.168.220.1 255.255.255.252 IP address is: Numbered
intf 2 192.168.220.5 255.255.255.252 IP address is: Numbered
intf 3 0.0.0.3 255.255.255.0 IP address is: Dynamic
intf 4 0.0.0.4 255.255.255.0 IP address is: Dynamic
intf 5 0.0.0.5 255.255.255.255 IP address is: Dynamic
intf 6 0.0.0.6 255.255.255.255 IP address is: Dynamic

Interfaces 3 and 4 are PPP interfaces with dynamically assigned addresses. Interfaces 5 and 6 are configured for single SKIP PC clients. Both types of addresses are dynamic.

When you enter list interface at the + prompt, the software displays the actual IP address that was dynamically assigned to the SKIP interface.

If you change an address on IP Tunnel interfaces to an unnumbered or dynamically assigned format of 0.0.0.n, the router asks if the remote peer is a single user SKIP PC. If you answer Yes, the router sets the mask to 255.255.255.255.

IP config>CHANGE ADDRESS 192.168.220.123
New address [192.168.220.123]? 0.0.0.6
Is this interface a tunnel to a single SKIP PC or workstation? [Yes]: yes

Source Address

All packets that go through a tunnel must have a source address that is valid on the public Internet. The router never uses an unnumbered or private IP address (like 10.x.x.x) as the tunnel source address. You can manually set a source address for each tunnel, but you do not normally need to do so. The router uses automatic source address selection to guarantee that tunnels always have a valid public address.

Note: For automatic source address selection to work, you must assign at least one valid IP address to the router. Automatic source address selection works as follows:

1. The router checks the IP address of the physical device that sends packets to the remote tunnel endpoint. If the address is

valid, the router uses the address as the tunnel source address.
unnumbered, the router proceeds to step 2.

2. The router checks the router ID. If the router ID is

defined, the router uses the address as the tunnel source address. (To define the router ID, enter set router-id at the IP config> prompt.)
not defined, the router proceeds to step 3.

3. The router searches its interfaces from lowest to highest to find a numbered interface. The router uses the first valid IP address it finds as the tunnel source address.

Because the router can use different physical devices to send data to different tunnel endpoints, the source address can vary from one tunnel to another.

You can override automatic source address selection by explicitly setting a source IP address for a tunnel. See set source-address. OpenROUTE Networks recommends that you not manually set a source address for an IP Tunnel when you are also using NAT on the physical interface. See Source Address Considerations.

Destination Address

For each remote tunnel destination, you add a tunnel interface and assign a destination address to the interface. There are different ways to assign the destination. You can use a name for the remote destination, which the tunnel maps to an IP address, or you can use the IP address of the remote destination.

When the router receives a packet from a remote tunnel endpoint, the router searches its destination addresses to find the tunnel whose destination matches the arriving packet's source address.

If it finds a match, it passes the packet to that IP Tunnel.
If it does not find a match, it passes the packet to upper layers of the IP protocol stack, such as SKIP. SKIP may be able to use information in the SKIP header to determine the identity of the packet source. See Identifying the Packet Source.

For example, in Figure 2, when the IP Tunnel on Router A sends a packet to Router B, the source address of the packet is 128.185.20.10. When Router B receives the packet, it searches its destination addresses for 128.185.20.10. It finds a match, and sends the packet to the correct IP Tunnel interface.

Figure 2 IP Tunnel Addresses

Payload Address

The tunnel encapsulates IP packets within another IP packet. The inner IP packets have a destination address called the payload address. The payload address is the address of the final destination on a network (probably the LAN) that is behind the remote tunnel endpoint.

Unreachable Networks

If a tunnel sends a packet and the packet is returned with an ICMP unreachable error, the router marks the remote tunnel endpoint as unreachable and marks the tunnel interface as Down.

Once the router marks a remote endpoint as unreachable, the tunnel refuses connection requests to that remote endpoint. However, when the tunnel receives those connection requests, the tunnel sends a packet to the UDP Discard port on the remote endpoint. These packets let the tunnel find out when the remote endpoint becomes reachable. When the remote endpoint becomes reachable, the router marks the tunnel interface as Up.

Marking interfaces as Up or Down lets the tunnel work with WAN Reroute. It also allows IP to return ICMP unreachable messages back to workstations that are attempting to send data through a tunnel that is Down.

MTU Discovery

To ensure that encapsulated packets are not fragmented unnecessarily, the router uses MTU discovery to determine the MTU size of packets in the tunnel. IP fragments packets accordingly before sending packets into the tunnel.

IP Tunnels require a single MTU size across all remote destinations. This single size must be the smallest MTU required across all remote destinations. Using a minimum value assures that no traffic is fragmented between the local router and any remote destination. Thus, the MTU that IP tunnels use is the minimum value determined for each remote destination. The router discovers each remote endpoint's MTU in one of two ways:

Dynamically using MTU discovery. ICMP messages the router receives back from the tunnel define the actual MTU that is achievable along the tunnel's path.
Statically using a configured MTU value.

The tunnel uses the smallest MTU of all tunnel endpoints, whether it is an MTU that you set or an MTU derived from MTU discovery.

By default, MTU discovery is enabled, and OpenROUTE Networks recommends that you do not disable MTU discovery. If your tunnel runs over a PPP interface and you disable MTU discovery, make sure the Maximum Receive Unit (MRU) size in PPP is at least 100 bytes larger than the MTU of the tunnel. The default MRU size in PPP is 1500.

To avoid problems due to incorrect MTU/MRU sizes, OpenROUTE Networks recommends that you use the default settings.

Configuring IP Tunnels

To set up an IP Tunnel, you need to create a tunnel, configure IP on the tunnel, and set a remote destination for the tunnel. By default, IP Tunnel interfaces dial on demand. You can adjust the amount of time a tunnel remains idle before it disconnects, or you can set up the tunnel to always remain connected.

IP Tunnel parameters default to values that produce a functional tunnel with no other user intervention.

The next sections describe the tasks needed to set up a tunnel and then show how to display IP Tunnel prompts and enter IP Tunnel commands.

Creating a Tunnel

To create an IP tunnel, add a tunnel interface.

Config>add interface ip-tunnel

Adding IP Tunnel as interface 3.

Configuring IP

Each tunnel interface, like any other interface, must have an IP address. The tunnel can use an unnumbered IP address or addresses from a subnet shared between the two tunnel endpoint routers. See Interface Addresses.

The router must have at least one valid and visible IP address that the router uses as the destination address for all tunnels ending at the router. You can set this valid IP address on either a physical interface or as the router ID.

You can address these routing restrictions in one of the following ways:

Use static routes for routes through the tunnels. By using static routes, you can enable RIP to export the route to a local LAN that has a valid IP address. You must use the following command to prevent RIP from exporting those static routes across the WAN (presumably PPP) interface:
```
disable sending static-routes <WAN IP address>
```

If RIP is running in the router, you should set the following RIP settings:

disable sending default-routes <tunnel 1 IP address>

disable sending default-routes <tunnel 2 IP address>

.....

disable sending all-routes <WAN IP address>

These settings prevent the router from advertising its default route (to the Internet) to the other VPN routers that are attached via the tunnels. The last disable command prevents the router from sending routes to 10.x.x.x networks to the Internet.

Note: Disabling sending all routes means a router with a globally valid IP subnet on its LAN interface does not export a route to that LAN. To solve this, use static routes through the tunnels.

Setting Remote Destinations

You can set a remote tunnel endpoint for each IP Tunnel interface using the set destination command.

Note: If you do not set a destination for an IP Tunnel interface, mobile remote PC users, who typically use a dynamic IP address that the ISP assigns and who are not logged in at the same time, can share the interface. The router assigns available tunnels on a first-come, first-served basis. To set a destination for an IP Tunnel interface,

1. Select the IP Tunnel to configure. Enter network followed by the tunnel's interface number.

Config> network 3
Circuit Config <NET-3>

2. Set the destination of the remote tunnel endpoint. Enter either a name defined in the IP Host Table, or enter the IP address of the router at the far end of the tunnel.

Circuit Config <NET-1> set destination
Assign destination address name []? 128.185.2.2

Setting up the Tunnel as Dial on Demand or Dedicated

By default, IP Tunnel interfaces dial on demand and disconnect if there is no traffic for 120 seconds. To adjust the time after which the tunnel connection idles out or to set up the tunnel to always remain connected, use the set idle command. Zero (0) causes the connection to remain established indefinitely.

Circuit Config <NET-5> set idle
Idle timer (seconds, 0 means always active) [120]?

Entering IP Tunnel Commands

The router has one IP Tunnel configuration regardless of the number of interfaces the router has or how many remote endpoints the tunnel connects.

For most IP Tunnel parameters, you can either set the parameter for all remote endpoints or you can set it for a specific endpoint. You specify the endpoint by including the endpoint name in configuration commands. Here's how it works:

To set a parameter for a specific endpoint, add a name for that endpoint using the add remote command.

IP Tunnel Config <NET-3> add remote
New remote destination name? roadwarrior

Then, to set a parameter that applies just to roadwarrior, include the name roadwarrior in the command.

IP Tunnel Config <NET-3> set mtu roadwarrior
Maximum Packet Size? [1500]? 1518

To set a parameter that applies to all endpoints for which you have not specifically set a parameter, include the name default in the command.

IP Tunnel Config <NET-3> set mtu default
Maximum Packet Size? [1500]?

This command causes all IP Tunnels to use an MTU of 1500, except tunnels for which you specifically set a different value. For example, the tunnel that connects to roadwarrior uses an MTU of 1518.

IP Tunnel Prompts

IP Tunnel commands are available at the IP Tunnel Config <NET-#> prompt and the IP Tunnel <NET-#> prompt. This section explains the differences between these two prompts and shows how to display the prompts.

Configuration Prompt

At the IP Tunnel Config <NET-#> prompt, you can save changes you make to the tunnel configuration in the router's configuration memory. These changes do not take effect until you restart the router.

Display the IP Tunnel Config <NET-#> prompt as follows:

Config>NETWORK 5
Circuit Configuration
Circuit Config <NET-5> iptn
IP Tunnel Configuration
IP Tunnel Config <NET-5>

Monitoring Prompt

At the IP Tunnel <NET-#> prompt, changes that you make to the tunnel configuration take effect immediately. Unless you explicitly save changes using the save command, they are not saved when you restart the router.

Also, at the IP Tunnel <NET-#> prompt, you can set parameters only for endpoints that are currently reachable. If a remote endpoint is not accessible, it has no runtime configuration and the endpoint does not appear at this prompt.

Display the IP Tunnel <NET-#> prompt as follows:

+network 5 Circuit <NET-5> iptn
IP Tunnel
IP Tunnel <NET-5>

IP Tunnel Commands

This section describes the IP Tunnel commands. See Entering IP Tunnel Commands.

Press Space twice after you type a command to display the available parameters for each command. Enter help for information about using the command line interface.

[C] means the command is available at the IP Tunnel Config <NET-#> prompt.

[M] means the command is available at the IP Tunnel <NET-#> prompt.

See IP Tunnel Prompts.

The IP Tunnel also maintains a number of settings and statistics that you can display using the interface command at the + prompt. These statistics are the cumulative counters across all remote tunnel endpoints. Clear statistics using the clear command at the + prompt.

The following table describes the IP Tunnel commands.

Table 1 IP Tunnel Commands

Command Description

Add Remote [C] Adds remote endpoints that you can then configure individually.

Delete [C] Deletes a remote endpoint that you added.

Disable [C] [M] Disables dynamic MTU discovery.

Enable [C] [M] Enables MTU discovery.

Exit [C] [M] Returns to the previous prompt.

List [C] [M] Shows configuration information and statistics for remote tunnel endpoints.

Revert [M] Restores the saved configuration for the destination that you specify.

Save [M] Saves changes you make at the IP Tunnel <NET-#> prompt to permanent memory.

Set [C] [M] Sets various tunnel parameters.

Table 1 IP Tunnel Commands
Command	Description
Add Remote [C]	Adds remote endpoints that you can then configure individually.
Delete [C]	Deletes a remote endpoint that you added.
Disable [C] [M]	Disables dynamic MTU discovery.
Enable [C] [M]	Enables MTU discovery.
Exit [C] [M]	Returns to the previous prompt.
List [C] [M]	Shows configuration information and statistics for remote tunnel endpoints.
Revert [M]	Restores the saved configuration for the destination that you specify.
Save [M]	Saves changes you make at the `IP Tunnel <NET-#>` prompt to permanent memory.
Set [C] [M]	Sets various tunnel parameters.

Add Remote [C]

You need to add remote endpoints that you want to configure individually. When you add a destination, OpenROUTE asks you for a destination name. You can enter one of the following:

An IP address as the name, which causes the tunnel to use this IP address as the tunnel's destination.
A name that is in the IP Host Table, which causes the tunnel to use the IP address for that name as the tunnel's destination.
A name that is not in the IP Host Table. If you do so, you must specify the remote tunnel IP address with the IP tunnel set destination-address command.

Syntax: add remote

Example: add remote

New remote destination name?

Delete [C]

Deletes a remote endpoint that you added.

Syntax: delete remote name

Example: delete remote jimmy

Disable [C] [M]

Disables MTU discovery, the feature that dynamically sizes the Maximum Transfer Unit (MTU) of the tunnel. If you disable MTU discovery, you can define the MTU for this destination using the set mtu command.

By default, MTU discovery is enabled, and OpenROUTE Networks recommends that you do not disable MTU discovery. If you do disable MTU discovery, keep in mind the following:

The tunnel uses the smallest MTU of all tunnel endpoints, whether it is an MTU that you set or an MTU derived from MTU discovery.
If your tunnel runs over a PPP interface and you disable MTU discovery, make sure the Maximum Receive Unit (MRU) size in PPP is at least 100 bytes larger than the MTU of the tunnel. The default MRU size in PPP is 1500.

Again, to avoid problems due to incorrect MTU/MRU sizes, OpenROUTE Networks recommends that you use the default settings.

Syntax: disable mtu-discovery name

Example: disable mtu-discovery default

Enable [C] [M]

Enables MTU discovery, which dynamically sizes the MTU to use on the path to the specified destination. MTU discovery is enabled by default.

The router performs MTU discovery by setting the packet size of traffic it sends to this destination to an initial value and then waiting to see if data packets are lost because they had to be fragmented.

For the initial packet size, the tunnel uses 1500 bytes if bridging is disabled and 1518 bytes if bridging is enabled. The router reduces this initial size if the router receives packet fragmentation errors back from routers within the tunnel.

Note: The IP Tunnel processes data for all remote tunnel endpoints. The tunnel uses the smallest MTU of all tunnel endpoints, whether it is an MTU that you set or an MTU derived from MTU discovery. Syntax: enable mtu-discovery name

Example: enable mtu-discovery jimmy

Exit [C] [M]

Returns to the previous prompt.

Syntax: exit

Example: exit

Circuit Config <NET-1>

List [C] [M]

This section explains list commands available at the IP Tunnel configuration and monitoring prompts.

List [C]

Shows the configuration for default and for each remote endpoint that you added.

Syntax: list

Example: list

Name        Source       Destination   Packet  MTU       Disc    ICMP
            Address      Address       MTU     Disc    Interval  Timeout
 
DEFAULT     (automatic)  (none)       (auto)   ON      3600       5000
boston      (automatic)  (unknown)     1515    OFF     3600       5000
roadwarrior (automatic)  (unknown)    (auto)   ON      3600       5000

Maximum number of simultaneous tunnel users: 16

List [M]

Displays statistics and configuration parameters for endpoints that are currently reachable.

Syntax: list

counters
parameters

counters

Shows the current statistics, such as bytes and packets transmitted and received, for each reachable destination.

Example: list counters

Name Destination Input Input Output Output Packets
Address Packets Bytes Packets Bytes Too Big
rbx205-23 128.2.41.23 199 225620 499 208396 0

parameters

Displays the current configuration parameters for all reachable destinations.

Example: list parameters

Name Source Destination Packet MTU Disc ICMP
Address Address MTU Disc Interval Timeout

rbx205-23 128.2.55.21 10.2.41.23 ON 3600 2579 5000

Tunnel(s) maximum packet size: 1500

Revert [M]

If you make configuration changes at the IP Tunnel <NET-#> prompt, this command restores the saved configuration for the destination that you specify.

Syntax: revert

Example: revert

destination default

Save [M]

If you make changes at the IP Tunnel <NET-#> prompt, this command saves the changes for the destination you specify to permanent memory.

Syntax: save

Example: save

Set [C] [M]

Sets various tunnel parameters. To set a parameter for a specific remote tunnel endpoint, you first add the remote endpoint using the add remote command. You then include the remote destination name in the set command.

Syntax: set

destination-address
icmp-timeout
max-users
mtu
mtu-interval
source-address

destination-address

Sets the IP address of a remote tunnel endpoint that you added with the add remote command. Include the name of the remote endpoint following the command. In this example the remote endpoint is jimmy.

Example: set destination-address jimmy

IP Tunnel Destination Address? 50.10.10.2

icmp-timeout

Sets how long, in milliseconds, after the tunnel sends a test packet to this destination, that the tunnel waits for an ICMP unreachable packet.

If the tunnel does not receive an ICMP unreachable packet before this time elapses, the tunnel assumes the packet successfully arrived at the remote tunnel endpoint. The tunnel marks the remote endpoint as reachable and accepts the next connection request it receives for the destination.
If the tunnel receives an ICMP unreachable packet before this time elapses, the software marks the tunnel interface as down and denies connection requests for the destination.

The range is 100 to 120000 milliseconds. The default is 5000 milliseconds.

Example: set icmp-timeout default

ICMP Unreachable Timeout? [5000]?

max-users

Sets the maximum number of remote endpoints that the IP Tunnel software can process concurrently. The default is 16. The maximum value is limited by the number of interfaces you can configure in the router.

Example: set max-users

Maximum number of simultaneous tunnel users? [16]? 4

mtu

Sets the largest packet size that the tunnel can send to this destination without requiring fragmentation. The range is 576 to 4096, and the default MTU is 0 (zero). Zero causes the tunnel to use 1500 bytes if bridging is disabled and 1518 bytes if bridging is enabled.

You must disable MTU discovery for a destination before you use this command. However, MTU discovery is enabled as the default, and OpenROUTE Networks recommends that you do not disable MTU discovery. If you do disable MTU discovery, keep in mind the following:

The tunnel uses the smallest MTU of all tunnel endpoints, whether it is an MTU that you set or an MTU derived from MTU discovery.
If your tunnel runs over a PPP interface and you disable MTU discovery, make sure the Maximum Receive Unit (MRU) size in PPP is at least 100 bytes larger than the MTU of the tunnel. The default MRU size in PPP is 1500.

Again, to avoid problems due to incorrect MTU/MRU sizes, OpenROUTE Networks recommends that you use the default settings.

Example: set mtu default

Maximum Packet Size? [ ]?

mtu-interval

If MTU discovery is enabled, the tunnel periodically repeats MTU discovery because the path that tunneled packets take may change due to changes in the internet topology. This interval sets how often the router performs an MTU discovery for this destination. The range is 60 to 65535 seconds and the default is 3600 seconds.

Example: set mtu-interval default

MTU Discovery Interval? [3600]?

source-address

Sets the source IP address the tunnel uses for packets it sends to the specified destination. The default is 0.0.0.0, which causes the tunnel to use automatic source address selection described in Source Address. If you enter a different source address, you must enter an address configured on one of the router interfaces or enter the router ID. Further, you must use an IP address that is reachable and legal in the public Internet.

Note: If you are running NAT on a router that has an IP Tunnel with SKIP authentication, setting the source address has more restrictions. See Source Address Considerations. Example: set source-address default

IP Tunnel Source Address? [0.0.0.0]?

[Top] [Prev] [Next] [Bottom]

docs@openroute.com