Skip to main content

One post tagged with "Open Networking"

View All Tags

Step-by-Step Guide For Linux L3VPN Using GRE/MPLS

· 8 min read
Ali Aqrabawi
Network Engineer

Introduction

A Layer 3 Virtual Private Network (L3VPN) allows multiple sites to communicate over a shared IP network as if they were directly connected. In this blog we will go through the configuration of L3VPN on Linux by using:

  • Network Namespace (NETNS) to create isolated VPNs on the linux router.
  • Multiprotocol Label Switching (MPLS) to label traffic with the respective VPN identifiers.
  • Generic Routing Encapsulation (GRE) to create virtual point-to-point tunnels between sites.

By combining MPLS and GRE, you can establish a robust L3VPN. MPLS labels the traffic to ensure it is routed to the correct VPN, while GRE tunnels encapsulate the VPN traffic, allowing it to traverse the underlying IP network securely. This approach leverages the scalability of MPLS and the flexibility of GRE to create an effective L3VPN solution.

Use Case Overview

In this use case, we aim to connect two geographically dispersed sites, each with multiple VPNs, over a shared IP network using Linux L3VPN with GRE and MPLS.

Scenario

  • Sites: Two sites, edge router DENT-1 and DENT-2, each with two VPNs.
  • VPNs: VPN1 and VPN2 on both DENT-1 and DENT-2.
  • Network: An IP network connects DENT-1 and DENT-2.
  • Hosts: Each site has two hosts each host in different VPN, PC1 and PC3 in VPN1, PC2 and PC4 in VPN2.
  • MPLS Labels: The labeling schema in this example will be 100[X][Y], where X represents the site number (1 for DENT-1, 2 for DENT-2), and Y represents the VPN ID (1 vpn1, 2 vpn2). e.g. label 10021 corresponds to DENT-2/vpn1.

Topology

topology1

Requirements

Make sure you have the following Linux modules installed:

root@dent-1:~# lsmod
Module Size Used by
ip_gre 32768 0
gre 16384 1 ip_gre
mpls_iptunnel 16384 1
mpls_router 40960 1 mpls_iptunnel
mpls_gso 16384 0
vrf 36864 0

Configuration Steps

DENT-1 configuration:

  • Create two netns, VPN1 and VPN2.
  • To allow routing from VPN1 and VPN2 to global netns we need to create two VETHs, veth1 with virtual_peer veth1_vpn1 for VPN1->global traffic flow, and veth2 with virtual_peer veth2_vpn2 for VPN2->global traffic flow.
  • Add route for prefix 192.168.2.0/24 in VPN1 to global netns using nexthop veth1_vpn1 with via address of veth1.
  • Add route for prefix 192.168.2.0/24 in VPN2 to global netns using nexthop veth2_vpn2 with via address of veth2.
  • Create two VRFs, VRF1 with table 10011, and VRF2 with table 10012. Each VRF table will have the respective routes for each VPN.
  • Add ip rule for iif veth1 to table 10011, to lookup the VRF1 table for any traffic coming from VPN1 to global VRF.
  • Add ip rule for iif veth2 to table 10012, to lookup the VRF2 table for any traffic coming from VPN2 to global VRF.
  • Create GRE interface GRE1 with source 1.1.1.1 and destination 1.1.1.2.
  • Add the route toward 192.168.2.0/24 in both VRFs tables to encapsulate the traffic with the mpls labels and to send the traffic inside the GRE tunnel,
    • VPN1 will encapsulate the traffic from DENt-1 to DENT-2 with label 10021.
    • VPN2 will encapsulate the traffic from DENt-1 to DENT-2 with label 10022.
  • For return traffic we will add mpls route in the global netns to pop the label and send the traffic to the right netns according to the incoming label(via veths address).
  • Lastly enable mpls for gre1 interface:
    sysctl -w net.mpls.platform_labels=100000
    sysctl -w net.mpls.conf.enp0s4.input=1

DENT-2 Configuration will be the same, but with reversed labeling.

Example Configuration

# Create network namespaces
netnses-iproute2
netns vpn1
netns vpn2
!
# Create VRFs
links-iproute2
vrf vrf2
vrf-info table 10012
vrf vrf1
vrf-info table 10011
# Create VETH pairs
link veth1
admin-status up
ip 1.11.11.2/24
type iproute2-ip-link:veth
virtual_peer_name veth1_vpn1
link veth1_vpn1
admin-status up
netns vpn1
ip 1.11.11.1/24
link veth2
admin-status up
ip 2.22.22.2/24
type iproute2-ip-link:veth
virtual_peer_name veth2_vpn2
link veth2_vpn2
admin-status up
netns vpn2
ip 2.22.22.1/24
# Configure physical interfaces and assign them to namespaces
link enp0s4
admin-status up
ip 1.1.1.1/24
link enp0s5
admin-status up
netns vpn1
ip 192.168.1.100/24
link enp0s6
admin-status up
netns vpn2
ip 192.168.1.100/24
# Create GRE tunnel
gre gre1
admin-status up
tunnel-info local 1.1.1.1
tunnel-info remote 1.1.1.2
!
# Add routes to leak VPN routes to the global namespace
routes-iproute2
route 192.168.2.0/24 netns vpn1
nexthop veth1_vpn1
via address 1.11.11.2
route 192.168.2.0/24 netns vpn2
nexthop veth2_vpn2
via address 2.22.22.2
# Add GRE routes in VRF tables for outgoing traffic
route 192.168.2.0/24 table 10011
nexthop gre1
encap mpls-encap label 10021
route 192.168.2.0/24 table 10012
nexthop gre1
encap mpls-encap label 10022
# Add MPLS routes for incoming traffic to correct VPNs
mpls-route 10011
dev veth1
via 1.11.11.2
mpls-route 10012
dev veth2
via 2.22.22.2
!
# Create IP rules to use VRF tables for traffic
rules-iproute2
rule 1000
iif veth1
action table 10011
rule 1001
iif veth2
action table 10012

Verify

  • Pinging from PC1 to PC2 is now working though the mpls/gre tunnel: capture

  • Looking at the icmp request send from PC1 we can see it's labeled with 10021 (DENT-2 vpn1 label), and encapsulated inside the gre1 tunnel: request

  • Same for incoming icmp response from PC2 we can see DENT-1's vpn1 label. response

Conclusion

This guide shows how to configure an L3VPN using GRE and MPLS on a Linux router, providing a scalable and flexible solution for routing VPN traffic. However, GRE tunnels lack inherent security. For a more secure approach, consider using IPsec with VTI, which offers encryption and authentication to protect your data.

For more details on Linux network configuration, see our Linux Networking Guide.