VPNs like IPsec and WireGuard provide encryption. But sometimes you don’t need encryption — just encapsulation. Connect two private networks over public internet without the complexity of key management.
GRE, IPIP, and SIT are simple tunneling protocols. They wrap packets inside other packets. No encryption, minimal overhead, easy to set up. Use them when encapsulation is enough and encryption is handled elsewhere (or not needed).
Simple tunnels solve simple problems.
Tunnel Types
| Type | Full Name | Encapsulates | Overhead |
|---|---|---|---|
| GRE | Generic Routing Encapsulation | Any protocol | 24 bytes |
| IPIP | IP-in-IP | IPv4 only | 20 bytes |
| SIT | Simple Internet Transition | IPv6 in IPv4 | 20 bytes |
When to Use Each
GRE: Most flexible, multicast support, routing protocolsIPIP: Minimal overhead, IPv4 onlySIT: IPv6 tunneling over IPv4GRE Tunnel Configuration
Basic GRE Tunnel
configure
# Create GRE tunnelset interfaces tunnel tun0 encapsulation greset interfaces tunnel tun0 source-address 203.0.113.1set interfaces tunnel tun0 remote 198.51.100.1set interfaces tunnel tun0 address 10.255.0.1/30
commitBoth Ends Must Match
# Site A (203.0.113.1)set interfaces tunnel tun0 encapsulation greset interfaces tunnel tun0 source-address 203.0.113.1set interfaces tunnel tun0 remote 198.51.100.1set interfaces tunnel tun0 address 10.255.0.1/30
# Site B (198.51.100.1)set interfaces tunnel tun0 encapsulation greset interfaces tunnel tun0 source-address 198.51.100.1set interfaces tunnel tun0 remote 203.0.113.1set interfaces tunnel tun0 address 10.255.0.2/30GRE with Key
GRE key identifies tunnel (useful when multiple tunnels to same endpoint):
configure
# Add GRE keyset interfaces tunnel tun0 encapsulation greset interfaces tunnel tun0 source-address 203.0.113.1set interfaces tunnel tun0 remote 198.51.100.1set interfaces tunnel tun0 parameters ip key 12345set interfaces tunnel tun0 address 10.255.0.1/30
commit
# Both ends must use same keyGRE Keepalives
Detect tunnel failure:
configure
# Enable keepalivesset interfaces tunnel tun0 parameters ip keepalive interval 10set interfaces tunnel tun0 parameters ip keepalive failure-count 3
# Tunnel goes down after 30 seconds of no response
commitIPIP Tunnel Configuration
Minimal overhead for IPv4-only:
configure
# Create IPIP tunnelset interfaces tunnel tun0 encapsulation ipipset interfaces tunnel tun0 source-address 203.0.113.1set interfaces tunnel tun0 remote 198.51.100.1set interfaces tunnel tun0 address 10.255.0.1/30
commitIPIP vs GRE
IPIP: 20 bytes overhead, IPv4 only, no multicastGRE: 24 bytes overhead, any protocol, multicast support
Use IPIP when:- Only IPv4 needed- Minimal overhead matters- No routing protocols over tunnel
Use GRE when:- Need multicast (OSPF, etc.)- Need IPv6 over tunnel- Need GRE key for identificationSIT Tunnel Configuration
IPv6 over IPv4 tunneling:
configure
# Create SIT tunnel (6in4)set interfaces tunnel tun0 encapsulation sitset interfaces tunnel tun0 source-address 203.0.113.1set interfaces tunnel tun0 remote 198.51.100.1set interfaces tunnel tun0 address 2001:db8::1/64
commit6in4 Tunnel Example
# Site B: IPv4 198.51.100.1, wants IPv6 2001:db8:b::/48# Tunnel addresses: 2001:db8:ffff::1/126 and ::2
# Site Aset interfaces tunnel tun0 encapsulation sitset interfaces tunnel tun0 source-address 203.0.113.1set interfaces tunnel tun0 remote 198.51.100.1set interfaces tunnel tun0 address 2001:db8:ffff::1/126
set protocols static route6 2001:db8:b::/48 interface tun0
# Site Bset interfaces tunnel tun0 encapsulation sitset interfaces tunnel tun0 source-address 198.51.100.1set interfaces tunnel tun0 remote 203.0.113.1set interfaces tunnel tun0 address 2001:db8:ffff::2/126
set protocols static route6 2001:db8:a::/48 interface tun0MTU Considerations
Calculate Tunnel MTU
Outer IP header: 20 bytesGRE header: 4 bytes (8 with key/seq)Inner packet: MTU - overhead
Standard Ethernet (1500):- GRE: 1500 - 24 = 1476 MTU- IPIP: 1500 - 20 = 1480 MTU- SIT: 1500 - 20 = 1480 MTUSet Tunnel MTU
configure
# Set MTU on tunnel interfaceset interfaces tunnel tun0 mtu 1476
# Important: Prevents fragmentation issues
commitMSS Clamping
# Clamp TCP MSS for traffic over tunnelset firewall options interface tun0 adjust-mss 1436
# MSS = MTU - 40 (IP + TCP headers)Routing Over Tunnels
Static Routes
configure
# Route remote network via tunnelset protocols static route 10.2.0.0/16 interface tun0
commitDynamic Routing
configure
# OSPF over GRE (GRE supports multicast)set protocols ospf interface tun0 area 0
# For IPIP (no multicast), use unicast neighborsset protocols ospf interface tun0 area 0set protocols ospf neighbor 10.255.0.2 # Explicit neighbor
commitGRE over IPsec
GRE for routing + IPsec for encryption:
configure
# IPsec tunnel firstset vpn ipsec interface eth0set vpn ipsec esp-group ESP-GRE proposal 1 encryption aes256set vpn ipsec esp-group ESP-GRE proposal 1 hash sha256set vpn ipsec ike-group IKE-GRE proposal 1 encryption aes256set vpn ipsec ike-group IKE-GRE proposal 1 hash sha256
set vpn ipsec site-to-site peer 198.51.100.1 authentication mode pre-shared-secretset vpn ipsec site-to-site peer 198.51.100.1 authentication pre-shared-secret "secret"set vpn ipsec site-to-site peer 198.51.100.1 ike-group IKE-GREset vpn ipsec site-to-site peer 198.51.100.1 local-address 203.0.113.1set vpn ipsec site-to-site peer 198.51.100.1 tunnel 1 esp-group ESP-GREset vpn ipsec site-to-site peer 198.51.100.1 tunnel 1 protocol gre
# GRE inside IPsecset interfaces tunnel tun0 encapsulation greset interfaces tunnel tun0 source-address 203.0.113.1set interfaces tunnel tun0 remote 198.51.100.1set interfaces tunnel tun0 address 10.255.0.1/30
commitTroubleshooting Tunnels
Tunnel Not Coming Up
# Check interface statusshow interfaces tunnel
# Verify source address is localip addr show | grep 203.0.113.1
# Check remote reachability (outer IP)ping 198.51.100.1
# Check firewall allows GRE/IPIP# GRE: Protocol 47# IPIP: Protocol 4Traffic Not Flowing
# Check routingshow ip route
# Verify routes via tunnelshow ip route 10.2.0.0/16
# Test tunnel connectivityping 10.255.0.2 # Tunnel endpoint
# Check MTUping -s 1400 -M do 10.255.0.2 # Large packet with DFCapture Tunnel Traffic
# Capture on physical interface (encapsulated)sudo tcpdump -i eth0 proto gresudo tcpdump -i eth0 proto 4 # IPIP
# Capture on tunnel interface (inner packets)sudo tcpdump -i tun0Security Considerations
GRE/IPIP Have No Encryption
Traffic visible to anyone on path:- Inner IP addresses- Protocol information- Payload content
For sensitive data:- Use GRE over IPsec- Use WireGuard/IPsec instead- Encrypt at application layerFirewall GRE at Ingress
# Only allow GRE from known peerset firewall ipv4 name WAN-IN rule 100 action acceptset firewall ipv4 name WAN-IN rule 100 protocol greset firewall ipv4 name WAN-IN rule 100 source address 198.51.100.1
set firewall ipv4 name WAN-IN rule 999 action dropMultiple Tunnels
To Same Remote
# Use GRE key to distinguishset interfaces tunnel tun0 encapsulation greset interfaces tunnel tun0 remote 198.51.100.1set interfaces tunnel tun0 parameters ip key 1set interfaces tunnel tun0 address 10.255.0.1/30
set interfaces tunnel tun1 encapsulation greset interfaces tunnel tun1 remote 198.51.100.1set interfaces tunnel tun1 parameters ip key 2set interfaces tunnel tun1 address 10.255.1.1/30To Different Remotes
# Different tunnel interfacesset interfaces tunnel tun0 remote 198.51.100.1set interfaces tunnel tun1 remote 198.51.100.2set interfaces tunnel tun2 remote 198.51.100.3The Lesson
Simple tunnels solve simple problems.
Use GRE/IPIP/SIT when:
- Encapsulation is enough (no encryption needed)
- Running routing protocols over tunnel (GRE)
- IPv6 over IPv4 infrastructure (SIT)
- Minimal overhead matters (IPIP)
- Already have encryption elsewhere
Don’t use when:
- Data is sensitive (use IPsec/WireGuard)
- Through untrusted networks without encryption
- Need advanced features (VPN, multi-homing)
These protocols are old but not obsolete. They’re tools in the toolkit. Know when to use them and when to reach for something more capable.
Simple problems deserve simple solutions.