9.8. Tunnel

You can find the Tunnel Settings at Interfaces → Assign → Tunnel.

Interface Configuration

Tunnels do not need an underlying interface. They are defined by their source IP Address that must be defined in the system.

We support the following Tunnel modes:

  • GRE
  • GRETAP
  • IPIP/GIF
  • SIT

GRE/GRETAP

GRE creates a Layer 3 Tunnel. GRETAP creates a Layer 2 Tunnel, which can be used to create a Layer 2 network between nodes (see Create New Bridge). Both can be secured with IPSec over GRE encryption (see GRE over IPSec for more).

9.8.1. Creating a new Tunnel

To create a new Tunnel go to Interfaces → Assign → Tunnel and click Add.

Select a tunnel mode under Mode (for example: GRE).

The Assign to new Interface option will automatically create a new Interface (INTx) based on your new Tunnel if activated. Alternatively you can manually add your Tunnel to a specific Interface as described in Assign Interfaces.

New Tunnel New Tunnel Interface

Specific Firewall Rules for the Tunnel Interface can be configured as described in Firewall Rules (Forward and Input).

9.8.2. Interface Tunnel Settings

The Interface Tunnel configuration can be found in the left sidebar under INTx (or the name that you manually assigned to the Tunnel Interface).

Interface Tunnel Settings

A tunnel always has an outer IP Type and an inner IP Type. The outer IP Type is IPv4 or IPv6 depending, on the tunnel type there is no choice. This sets the sender and destination of the Tunnel to an IPv4 or IPv6 Address.

Local Public IP Address is the sender IP Address and it is an Interface or Virtual IP Address of VT AIR.

Remote Public IP Address is the destination IP Address of the remote endpoint

Tunnel Address Version is depending on the Tunnel Type IPv4 or IPv6 and represents the inner IP Type

Local Tunnel IP Address is the local tunnel IP Address and the corresponding subnet mask. Make sure that the remote endpoint has a different IP Address in the same subnet.

GRE Keepalive enables the GRE Keepalive Feature for IPv4 that can be further configured below.

GRE Responder Only This will only answer the packages sent by the remote Tunnel endpoint device and it does not have any influence on the tunnel status. The tunnel is always considered to be up in VT AIR. Disable this option to also actively send GRE Keepalive Packets and set the interface to down if no response is received.

GRE Interval The interval to send GRE keepalive packets to the remote address.

GRE Retries Retries before the Tunnel is set to down when no GRE keepalive is answered.

Grekeepalive Backup If multiple GRE Tunnel Interfaces are configured, one of them can act as a backup in case the other one goes down. Both Tunnel Interfaces need an activated GRE Keepalive Feature for this to work. The second Tunnel Interface is then added as a backup in the settings of the primary Tunnel Interface.

GRE Keepalive Configuration

9.8.3. GRE with Failover

If you are using the High Availability feature of your VT AIR device you should configure your GRE tunnel in a way that works seamlessly when switching between routers. For this to work you should choose the virtual IP that you configured when setting up your High Availability feature as the Local Public IP. This ensures that the IP doesn’t change when switching routers (as described in Setup Examples).

If you have multiple WAN connections you can addionally configure a second GRE tunnel via another Interface, create a second virtual IP address for the second WAN Interface and set the second tunnel as a backup. To do so use the Grekeepalive backup feature of your first GRE tunnel as described above.

GRE Failover Configuration