Now we can discuss more subtle differences between tunneling in 2.0 and 2.2.
ipip. 2.2 tries to select the best tunnel device and packet looks as received on this. F.e. if host received
ipippacket from host
Ddestined to our local address
S, kernel searches for matching tunnels in order:
If tunnel exists, but it is not in
UP state, the tunnel is ignored.
Note, that if
UP it receives all the IPIP packets,
not acknowledged by more specific tunnels.
Be careful, it means that without carefully installed firewall rules
anyone on the Internet may inject to your network any packets with
source addresses indistinguishable from local ones. It is not so bad idea
to design tunnels in the way enforcing maximal route symmetry
and to enable reversed path filter (
rp_filter sysctl option) on
-nvvwill dump packets, which kernel output, via tunnel
Ciscoand the packets received on it from kernel viewpoint.