> You can, of course, not specify a destination address: > > ifconfig ip.tun0 10.31.25.5/32 tsrc 192.168.1.17 tdst 10.10.5.212 > > And pretend it's an ethernet-like interface. Actually, that doesn't work:
[EMAIL PROTECTED]:~# ifconfig ip.tun0 unplumb [EMAIL PROTECTED]:~# ifconfig ip.tun0 plumb [EMAIL PROTECTED]:~# ifconfig ip.tun0 172.31.25.5/32 tsrc 192.168.1.17 tdst 128.2.5.212 [EMAIL PROTECTED]:~# ifconfig ip.tun0 up ifconfig: setifflags: SIOCSLIFFLAGS: ip.tun0: Invalid argument vs [EMAIL PROTECTED]:~# ifconfig ip.tun0 unplumb [EMAIL PROTECTED]:~# ifconfig ip.tun0 plumb [EMAIL PROTECTED]:~# ifconfig ip.tun0 172.31.25.5/32 128.2.5.209 tsrc 192.168.1.17 tdst 128.2.5.212 [EMAIL PROTECTED]:~# ifconfig ip.tun0 up [EMAIL PROTECTED]:~# > Does this help? Not really. Well, it helped conceptually, but I still don't have a working tunnel. Since the redaction was confusing, and I don't actually believe anyone thinks it's too sensitive to disclose (I was just following convention), I'll dispense with it >From the top: 192.168.1.0/24: my home nat 66.207.128.0/20 my provider's network 128.2.0.0/16: one of my employers networks, accessible via the internet, but some protocols are filtered if not using vpn 128.237.0.0/16: one of my employers networks, accessible via the internet, but some protocols are filtered if not using vpn 172.19.0.0/16: one of my employers networks, NOT accessible via the internet. 172.31.0.0/16: network that vpn clients are registered in. not accessible via the internet or vpn. The opensolaris host has address 192.168.1.17 and is attached to my home lan. The home lan router's address is 192.168.1.1, and is connected to the internet with a dynamic address (today, that is 66.207.131.63) The vpn gateway's sole address, which is internet accessible, is 128.2.5.212 The vpn gateway's default router is 128.2.5.209 Multiple networks are accessible behind that router (128.2.0.0, 128.237.0.0, and 172.19.0.0) /etc/inet/ike/config cert_root "C=US, ST=Pennsylvania, L=Pittsburgh, O=Carnegie Mellon University, OU=Network Group, CN=vpn isam ca" cert_root "C=US, ST=Pennsylvania, L=Pittsburgh, O=Carnegie Mellon University, OU=Network Group, CN=vpn user ca" cert_root "C=US, ST=Pennsylvania, L=Pittsburgh, O=Carnegie Mellon University, OU=Network Group, CN=VPN Admin Comp Mgmt" use_http p2_lifetime_secs 86400 local_id_type dns p1_xform { oakley_group 2 encr_alg 3des-cbc auth_alg sha1 auth_method rsa_sig } { label "server2 isam" local_addr 0.0.0.0 remote_addr 128.2.5.212 local_id "DNS=erehwon.isam.vpn.cmu.local" remote_id "C=US, ST=Pennsylvania, L=Pittsburgh, O=Carnegie Mellon University, OU=Network Group, CN=vpn isam server2" } /etc/inet/ipsecinit.conf: {tunnel ip.tun0 negotiate tunnel laddr 172.31.25.5 raddr 128.2.0.0/16} ipsec {encr_algs 3des encr_auth_algs sha1 sa shared} {tunnel ip.tun0 negotiate tunnel laddr 172.31.25.5 raddr 128.237.0.0/16} ipsec {encr_algs 3des encr_auth_algs sha1 sa shared} {tunnel ip.tun0 negotiate tunnel laddr 172.31.25.5 raddr 172.19.0.0/16} ipsec {encr_algs 3des encr_auth_algs sha1 sa shared} ip.tun0: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480 index 5 inet tunnel src 192.168.1.17 tunnel dst 128.2.5.212 tunnel hop limit 60 inet 172.31.25.5 --> 128.2.5.209 netmask ffffffff When the tunnel is ifconfig'd down, then pings to 128.2.5.209 succeed, going through the nat and over the internet as usual. if the tunnel is up, the pings fail. Any traffic routed into the tunnel disappears: [EMAIL PROTECTED]:~# /sbin/ifconfig ip.tun0 down [EMAIL PROTECTED]:~# ping 128.2.5.209 128.2.5.209 is alive [EMAIL PROTECTED]:~# /sbin/ifconfig ip.tun0 up [EMAIL PROTECTED]:~# ping 128.2.5.209 no answer from 128.2.5.209 [EMAIL PROTECTED]:~# ping 128.237.157.9 128.237.157.9 is alive [EMAIL PROTECTED]:~# route add 128.237.0.0/16 128.2.5.209 add net 128.237.0.0/16: gateway 128.2.5.209 [EMAIL PROTECTED]:~# ping 128.237.157.9 no answer from 128.237.157.9 in.iked is still silent (other than deciding to listen on the tunnel interface whenever it is up'd) _______________________________________________ networking-discuss mailing list networking-discuss@opensolaris.org