On 11/13/06, Dan McDonald <[EMAIL PROTECTED]> wrote:
NOTE; It's spelled IPsec with a small 's'. :)
;)
> I have an snv51 machine at home serving as my internet gateway, and I
> would like to use it to provide a VPN to my corporate network via
> IPSec. The remote end should be correctly configured.
>
> I bring up ip.tun0 like so:
>
> ifconfig ip.tun0 192.168.44.1 10.10.10.1 \
> tsrc 11.11.11.11 tdst 22.22.22.22 \
> encr_algs 3des encr_auth_algs md5
>
> where 192.168.44.0/24 is the local network I will be using, and
> 10.10.10.0/24 is the corporate network. 11.11.11.11 is my local
> Internet ip, and 22.22.22.22 is the corporate network's Internet ip.
NOTE: ip.tunX is like any point-to-point interface, the addresses are always
/32 for IPv4 and /128 for IPv6. You need to add routes explicitly or
nimplicitly.
Another good note.
> # ifconfig mxfe0
> mxfe0: flags=201104843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,ROUTER,IPv4,CoS>
> mtu 1500 index 3
> inet 11.11.11.11 netmask ffffff00 broadcast 11.11.11..255
> ether 0:80:c6:f0:45:3d
> # ifconfig ip.tun0
> ip.tun0: flags=11008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,ROUTER,IPv4>
> mtu 1419 index 5
> inet tunnel src 11.11.11.11 tunnel dst 22.22.22.22
> tunnel security settings esp (3des-cbc/hmac-md5)
> tunnel hop limit 60
> inet 192.168.44.1 --> 10.10.10.1 netmask ffffff00
>
> I see these in my logs:
>
> ip: [ID 646971 kern.notice] ip_create_dl: hw addr length = 0
> in.routed[146]: [ID 238047 daemon.warning] interface ip.tun0 to
> 10.10.10.1 turned off
Interesting. You had ROUTER enabled, according to your ifconfig.
Initially I did "ifconfig ip.tun0 router up" as per the docs at:
http://docs.sun.com/app/docs/doc/816-4554/6maoq0223?a=view
However, ROUTER seems to be enabled by default:
# ifconfig ip.tun0 unplumb
# ifconfig ip.tun0 plumb
# ifconfig ip.tun0
ip.tun0: flags=11008d0<POINTOPOINT,RUNNING,NOARP,MULTICAST,ROUTER,IPv4>
mtu 65515 index 6
inet tunnel src 0.0.0.0
tunnel hop limit 60
inet 0.0.0.0 --> 0.0.0.0 netmask 0
Possibly because I have ip_fowarding enabled?
# routeadm
Configuration Current Current
Option Configuration System State
---------------------------------------------------------------
IPv4 forwarding enabled enabled
IPv4 routing default (enabled) enabled
> The documentation I read on docs.sun.com states that ip_forwarding
> must be turned off, though this will surely break NAT for my local
> machines. All of the examples I seem to find are using a separate
> machine to do this -- can I do the two on a single system?
If mxfe0 (physical) and ip.tun0 are the only interfaces for your machine,
then you don't need to worry about IP forwarding at all.
They are not. I have hme0 configured to serve my internal network,
connected to a switch:
# ifconfig hme0
hme0: flags=1100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4> mtu 1500 index 2
inet 192.168.0.1 netmask ffffff00 broadcast 192.168.0.255
ether 8:0:20:a4:f2:40
My intent is to use hme0:1 on 192.168.44.x/24 until I can reconfigure
my home network to use a different subnet altogether, as
192.168.0.x/24 is already being used by an office on the VPN.
Is this ASCII picture what you had in mind?
+-----+------------+------------------+ 192.168.44.0/24
| |
<some-node> |
|
mxfe1 192.168.44.x/24
+-----+---+
| VPN-GW |
+----+----+
mxfe0 11.11.11.11/24
|
|ip.tun0|
| |
+---<Internet>----+-----------------------+
Pretty much. I want all traffic to 10.10.10.x/24 going through
ip.tun0, but all other traffic (i.e, bound for the general internet)
only through mxfe0 and NOT ip.tun0.
If I'm right, and you're running a real GW where a piece of your internal
network is now in your house, you need:
ROUTER set on mxfe1 and ip.tun0
ROUTER cleared on mxfe0
for the best security.
Removing ROUTER from mxfe0 breaks the home network.
If you're just tunnelling in a single machine to your internal network,
here's an edited sample of what I'm using with IPsec to connect into Sun's
internal network. NOTE: I'm using IPsec Tunnel Reform for my tunnel, but
that's independent of your problem, I believe.
(0)# uname -a
SunOS everywhere 5.11 onnv-gate:2006-11-06 i86pc i386 i86pc
(0)# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232
index 1
inet 127.0.0.1 netmask ff000000
e1000g0: flags=201004843<UP,BROADCAST,RUNNING,MULTICAST,DHCP,IPv4,CoS> mtu 1500
index 2
inet 11.11.11.207 netmask ffffff00 broadcast 11.11.11.255
ether 0:15:b7:e5:8c:5a
ip.tun0: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1419
index 5
inet tunnel src 11.11.11.207 tunnel dst 22.22.22.22
tunnel security settings --> use 'ipsecconf -ln -i ip.tun0'
tunnel hop limit 60
inet 10.21.12.2 --> 10.51.50.19 netmask ff000000
Note I don't have a single ROUTER flag set?
RIght, which makes sense because you are not routing for anyone. Is
it possible to do this through NAT? I don't have a problem using ipf
to forward appropriate traffic to a specific machine in the local
network. (Note: my current ipf setup is allowing all traffic from
22.22.22.22 to get in).
Thank you for your time, Dan.
--
Eric Enright
_______________________________________________
networking-discuss mailing list
[email protected]
