NOTE; It's spelled IPsec with a small 's'. :)
> I have an snv51 machine at home serving as my internet gateway, and I
> would like to use it to provide a VPN to my corporate network via
> IPSec. The remote end should be correctly configured.
>
> I bring up ip.tun0 like so:
>
> ifconfig ip.tun0 192.168.44.1 10.10.10.1 \
> tsrc 11.11.11.11 tdst 22.22.22.22 \
> encr_algs 3des encr_auth_algs md5
>
> where 192.168.44.0/24 is the local network I will be using, and
> 10.10.10.0/24 is the corporate network. 11.11.11.11 is my local
> Internet ip, and 22.22.22.22 is the corporate network's Internet ip.
NOTE: ip.tunX is like any point-to-point interface, the addresses are always
/32 for IPv4 and /128 for IPv6. You need to add routes explicitly or
nimplicitly.
> # ifconfig mxfe0
> mxfe0: flags=201104843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,ROUTER,IPv4,CoS>
> mtu 1500 index 3
> inet 11.11.11.11 netmask ffffff00 broadcast 11.11.11..255
> ether 0:80:c6:f0:45:3d
> # ifconfig ip.tun0
> ip.tun0: flags=11008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,ROUTER,IPv4>
> mtu 1419 index 5
> inet tunnel src 11.11.11.11 tunnel dst 22.22.22.22
> tunnel security settings esp (3des-cbc/hmac-md5)
> tunnel hop limit 60
> inet 192.168.44.1 --> 10.10.10.1 netmask ffffff00
>
> I see these in my logs:
>
> ip: [ID 646971 kern.notice] ip_create_dl: hw addr length = 0
> in.routed[146]: [ID 238047 daemon.warning] interface ip.tun0 to
> 10.10.10.1 turned off
Interesting. You had ROUTER enabled, according to your ifconfig.
> The documentation I read on docs.sun.com states that ip_forwarding
> must be turned off, though this will surely break NAT for my local
> machines. All of the examples I seem to find are using a separate
> machine to do this -- can I do the two on a single system?
If mxfe0 (physical) and ip.tun0 are the only interfaces for your machine,
then you don't need to worry about IP forwarding at all.
Is this ASCII picture what you had in mind?
+-----+------------+------------------+ 192.168.44.0/24
| |
<some-node> |
|
mxfe1 192.168.44.x/24
+-----+---+
| VPN-GW |
+----+----+
mxfe0 11.11.11.11/24
|
|ip.tun0|
| |
+---<Internet>----+-----------------------+
If I'm right, and you're running a real GW where a piece of your internal
network is now in your house, you need:
ROUTER set on mxfe1 and ip.tun0
ROUTER cleared on mxfe0
for the best security.
If you're just tunnelling in a single machine to your internal network,
here's an edited sample of what I'm using with IPsec to connect into Sun's
internal network. NOTE: I'm using IPsec Tunnel Reform for my tunnel, but
that's independent of your problem, I believe.
(0)# uname -a
SunOS everywhere 5.11 onnv-gate:2006-11-06 i86pc i386 i86pc
(0)# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
inet 127.0.0.1 netmask ff000000
e1000g0: flags=201004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4,CoS> mtu 1500
index 2
inet 11.11.11.207 netmask ffffff00 broadcast 11.11.11.255
ether 0:15:b7:e5:8c:5a
ip.tun0: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1419
index 5
inet tunnel src 11.11.11.207 tunnel dst 22.22.22.22
tunnel security settings --> use 'ipsecconf -ln -i ip.tun0'
tunnel hop limit 60
inet 10.21.12.2 --> 10.51.50.19 netmask ff000000
Note I don't have a single ROUTER flag set?
Dan
_______________________________________________
networking-discuss mailing list
[email protected]
