GRE tunnel between two F5 LTM's

This blog entry is about creating GRE tunnel between two F5 LTM unit's. In the lab environment where setup was created virtual editions of F5 LTM's were used.

The topology which was used in the lab is presented in the Diagram_1. R1 device present in the diagram is a router .

Diagram_1 - GRE topology

As a end result - PC1 and PC2 should be able to communicate through GRE tunnel.

Configuration process consisted of several steps:
1. Adding vlan's to the F5 units (vmnet3, vmnet4 to BIGIP1 ; vmnet2, vmnet5 to BIGIP2)

2. Creating self ip's on added vlan's (vmnet3-172.16.75.10, vmnet4-172.16.1.10 on BIGIP1 ; vmnet2-192.168.229.10, vmnet5-192.168.1.10 on BIGIP2)

3. Creating forwarding vip named "vip_for_gre" on BIGIP1 and BIGIP2 with IP set
(BIGIP1 - 172.16.15.15, enabled on vmnet3 ; BIGIP2 - 192.168.15.15, enabled on vmnet2).

4. Creating GRE tunnel named "tunnel_gre" on BIGIP1 and BIGIP2 (IP addresses set on "vip_for_gre" were used as local/remote addreses for the tunnel)

5. Creating self ip's on "tunnel_gre" (10.1.1.1 on BIGIP1 ; 10.1.1.2 on BIGIP2)

6. Creating forwarding vip named "vip_forwarding" on BIGIP1 and BIGIP2 (BIGIP1 - enabled on tunnel_gre, vmnet4 ; BIGIP2 - enabled on tunnel_gre, vmnet5)

7. Configuring routing for PC1/PC2 communication on BIGIP1 and BIGIP2 to go through the tunnel_gre


Information about added configuration from BIGIP1 (output from tmsh, printscreen's from GUI are present at the end of blog entry) :

[Vlan's]
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net vlan one-line
net vlan vmnet3 { if-index 112 interfaces { 1.1 { } } tag 4094 }
net vlan vmnet4 { if-index 128 interfaces { 1.2 { } } tag 4093 }

[Self ip's]
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net self one-line
net self 172.16.1.10 { address 172.16.1.10/24 traffic-group traffic-group-local-only vlan vmnet4 }
net self 172.16.75.10 { address 172.16.75.10/24 traffic-group traffic-group-local-only vlan vmnet3 }
net self 10.1.1.1 { address 10.1.1.1/24 traffic-group traffic-group-local-only vlan tunnel_gre }

[VIP - vip_forwarding]
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual vip_forwarding one-line
ltm virtual vip_forwarding { destination 0.0.0.0:any ip-forward mask any profiles { fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { tunnel_gre vmnet4 } vlans-enabled }

[VIP - vip_for_gre]
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual vip_for_gre one-line
ltm virtual vip_for_gre { destination 172.16.15.15:any ip-forward mask 255.255.255.255 profiles { fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { vmnet3 } vlans-enabled }

[Tunnel GRE - tunnel_gre]
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net tunnels tunnel tunnel_gre one-line
net tunnels tunnel tunnel_gre { local-address 172.16.15.15 profile gre remote-address 192.168.15.15 }

[Routes]
root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net route one-line
net route 192.168.1.200 { interface /Common/tunnel_gre network 192.168.1.200/32 }
net route 192.168.15.15 { gw 172.16.75.100 network 192.168.15.15/32 }
net route 192.168.229.0 { gw 172.16.75.100 network 192.168.229.0/24 }


Information about added configuration from BIGIP2 (output from tmsh, printscreen's from GUI are present at the end of blog entry) :

[Vlan's]
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net vlan one-line
net vlan vmnet2 { if-index 96 interfaces { 1.1 { } } tag 4094 }
net vlan vmnet5 { if-index 112 interfaces { 1.2 { } } tag 4093 }

[Self ip's]
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net self one-line
net self 192.168.1.10 { address 192.168.1.10/24 traffic-group traffic-group-local-only vlan vmnet5 }
net self 192.168.229.10 { address 192.168.229.10/24 traffic-group traffic-group-local-only vlan vmnet2 }
net self 10.1.1.2 { address 10.1.1.2/24 traffic-group traffic-group-local-only vlan tunnel_gre }

[VIP - vip_for_gre]
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual vip_forwarding one-line
ltm virtual vip_forwarding { destination 0.0.0.0:any ip-forward mask any profiles { fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { tunnel_gre vmnet5 } vlans-enabled }

[VIP - vip_for_gre]
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual vip_for_gre one-line
ltm virtual vip_for_gre { destination 192.168.15.15:any ip-forward mask 255.255.255.255 profiles { fastL4 { } } source 0.0.0.0/0 translate-address disabled translate-port disabled vlans { vmnet2 } vlans-enabled }

[Tunnel GRE - tunnel_gre]
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net tunnels tunnel tunnel_gre one-line
net tunnels tunnel tunnel_gre { local-address 192.168.15.15 profile gre remote-address 172.16.15.15 }

[Routes]
root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net route one-line
net route 172.16.1.200 { interface /Common/tunnel_gre network 172.16.1.200/32 }
net route 172.16.15.15 { gw 192.168.229.100 network 172.16.15.15/32 }
net route 172.16.75.0 { gw 192.168.229.100 network 172.16.75.0/24 }


Packet capture from BIGIP1 and BIGIP2 which shows that communication between PC1 and PC2 was encapsulated in GRE :

[root@bigip1:Active:Standalone] config # tcpdump -i vmnet3 proto gre
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmnet3, link-type EN10MB (Ethernet), capture size 96 bytes
12:17:21.405257 IP 172.16.15.15 > 192.168.15.15: GREv0, length 64: IP 172.16.1.200 > 192.168.1.200: ICMP echo request, id 1, seq 2765, length 40
12:17:21.438621 IP 192.168.15.15 > 172.16.15.15: GREv0, length 64: IP 192.168.1.200 > 172.16.1.200: ICMP echo reply, id 1, seq 2765, length 40
12:17:22.410254 IP 172.16.15.15 > 192.168.15.15: GREv0, length 64: IP 172.16.1.200 > 192.168.1.200: ICMP echo request, id 1, seq 2766, length 40
12:17:22.439201 IP 192.168.15.15 > 172.16.15.15: GREv0, length 64: IP 192.168.1.200 > 172.16.1.200: ICMP echo reply, id 1, seq 2766, length 40


[root@bigip2:Active:Standalone] config # tcpdump -i vmnet2 proto gre
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vmnet2, link-type EN10MB (Ethernet), capture size 96 bytes
12:17:21.163698 IP 172.16.15.15 > 192.168.15.15: GREv0, length 64: IP 172.16.1.200 > 192.168.1.200: ICMP echo request, id 1, seq 2765, length 40
12:17:21.173661 IP 192.168.15.15 > 172.16.15.15: GREv0, length 64: IP 192.168.1.200 > 172.16.1.200: ICMP echo reply, id 1, seq 2765, length 40
12:17:22.168787 IP 172.16.15.15 > 192.168.15.15: GREv0, length 64: IP 172.16.1.200 > 192.168.1.200: ICMP echo request, id 1, seq 2766, length 40
12:17:22.178765 IP 192.168.15.15 > 172.16.15.15: GREv0, length 64: IP 192.168.1.200 > 172.16.1.200: ICMP echo reply, id 1, seq 2766, length 40


Example capture view from wireshark:

Capture from wireshark

Printscreen's from GUI which present the configuraton from BIGIP1 :

BIGIP1 - vlan's:

BIGIP1 - vlan's

BIGIP1 - self ip's:

BIGIIP1 - self ip's

BIGIP1 - vip_forwarding:

BIGIP1 - vip_forwarding

BIGIP1 - vip_for_gre:

BIGIP1 - vip_for_gre

BIGIP1 - tunnel_gre:

BIGIP1 - tunnel_gre

BIGIP1 - routes:

BIGIP1 - routes

Printscreen's from GUI which present the configuraton from BIGIP2 :

BIGIP2 - vlan's:

BIGIP2 - vlan's

BIGIP2 - self ip's:

BIGIP2 - self ip's

BIGIP2 - vip_forwarding:

BIGIP2 - vip_forwarding

BIGIP2 - vip_for_gre:

BIGIP2 - vip_for_gre

BIGIP2 - tunnel_gre:

BIGIP2 - tunnel_gre

BIGIP2 - routes:

BIGIP2 - routes