> You can, of course, not specify a destination address:
>
> ifconfig ip.tun0 10.31.25.5/32 tsrc 192.168.1.17 tdst 10.10.5.212
>
> And pretend it's an ethernet-like interface.
Actually, that doesn't work:
[EMAIL PROTECTED]:~# ifconfig ip.tun0 unplumb
[EMAIL PROTECTED]:~# ifconfig ip.tun0 plumb
[EMAIL PROTECTED]:~# ifconfig ip.tun0 172.31.25.5/32 tsrc 192.168.1.17
tdst 128.2.5.212
[EMAIL PROTECTED]:~# ifconfig ip.tun0 up
ifconfig: setifflags: SIOCSLIFFLAGS: ip.tun0: Invalid argument
vs
[EMAIL PROTECTED]:~# ifconfig ip.tun0 unplumb
[EMAIL PROTECTED]:~# ifconfig ip.tun0 plumb
[EMAIL PROTECTED]:~# ifconfig ip.tun0 172.31.25.5/32 128.2.5.209 tsrc
192.168.1.17 tdst 128.2.5.212
[EMAIL PROTECTED]:~# ifconfig ip.tun0 up
[EMAIL PROTECTED]:~#
> Does this help?
Not really. Well, it helped conceptually, but I still don't have a
working tunnel.
Since the redaction was confusing, and I don't actually believe anyone
thinks it's too sensitive to disclose (I was just following
convention), I'll dispense with it
>From the top:
192.168.1.0/24: my home nat
66.207.128.0/20 my provider's network
128.2.0.0/16: one of my employers networks, accessible via the
internet, but some protocols are filtered if not using vpn
128.237.0.0/16: one of my employers networks, accessible via the
internet, but some protocols are filtered if not using vpn
172.19.0.0/16: one of my employers networks, NOT accessible via the internet.
172.31.0.0/16: network that vpn clients are registered in. not
accessible via the internet or vpn.
The opensolaris host has address 192.168.1.17 and is attached to my home lan.
The home lan router's address is 192.168.1.1, and is connected to the
internet with a dynamic address (today, that is 66.207.131.63)
The vpn gateway's sole address, which is internet accessible, is 128.2.5.212
The vpn gateway's default router is 128.2.5.209
Multiple networks are accessible behind that router (128.2.0.0,
128.237.0.0, and 172.19.0.0)
/etc/inet/ike/config
cert_root "C=US, ST=Pennsylvania, L=Pittsburgh, O=Carnegie Mellon
University, OU=Network Group, CN=vpn isam ca"
cert_root "C=US, ST=Pennsylvania, L=Pittsburgh, O=Carnegie Mellon
University, OU=Network Group, CN=vpn user ca"
cert_root "C=US, ST=Pennsylvania, L=Pittsburgh, O=Carnegie Mellon
University, OU=Network Group, CN=VPN Admin Comp Mgmt"
use_http
p2_lifetime_secs 86400
local_id_type dns
p1_xform { oakley_group 2 encr_alg 3des-cbc auth_alg sha1 auth_method rsa_sig }
{
label "server2 isam"
local_addr 0.0.0.0
remote_addr 128.2.5.212
local_id "DNS=erehwon.isam.vpn.cmu.local"
remote_id "C=US, ST=Pennsylvania, L=Pittsburgh, O=Carnegie Mellon
University, OU=Network Group, CN=vpn isam server2"
}
/etc/inet/ipsecinit.conf:
{tunnel ip.tun0 negotiate tunnel laddr 172.31.25.5 raddr 128.2.0.0/16}
ipsec {encr_algs 3des encr_auth_algs sha1 sa shared}
{tunnel ip.tun0 negotiate tunnel laddr 172.31.25.5 raddr
128.237.0.0/16} ipsec {encr_algs 3des encr_auth_algs sha1 sa shared}
{tunnel ip.tun0 negotiate tunnel laddr 172.31.25.5 raddr
172.19.0.0/16} ipsec {encr_algs 3des encr_auth_algs sha1 sa shared}
ip.tun0: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4>
mtu 1480 index 5
inet tunnel src 192.168.1.17 tunnel dst 128.2.5.212
tunnel hop limit 60
inet 172.31.25.5 --> 128.2.5.209 netmask ffffffff
When the tunnel is ifconfig'd down, then pings to 128.2.5.209 succeed,
going through the nat and over the internet as usual. if the tunnel is
up, the pings fail. Any traffic routed into the tunnel disappears:
[EMAIL PROTECTED]:~# /sbin/ifconfig ip.tun0 down
[EMAIL PROTECTED]:~# ping 128.2.5.209
128.2.5.209 is alive
[EMAIL PROTECTED]:~# /sbin/ifconfig ip.tun0 up
[EMAIL PROTECTED]:~# ping 128.2.5.209
no answer from 128.2.5.209
[EMAIL PROTECTED]:~# ping 128.237.157.9
128.237.157.9 is alive
[EMAIL PROTECTED]:~# route add 128.237.0.0/16 128.2.5.209
add net 128.237.0.0/16: gateway 128.2.5.209
[EMAIL PROTECTED]:~# ping 128.237.157.9
no answer from 128.237.157.9
in.iked is still silent (other than deciding to listen on the tunnel
interface whenever it is up'd)
_______________________________________________
networking-discuss mailing list
networking-discuss@opensolaris.org
