Re: [networking-discuss] ospf via ipsec tunnels

Tue, 20 Apr 2010 10:48:31 -0700 

>Can you post your IPsec configs and ifconfig -a to the list also, 
>including whether you configured IPsec tunnel policy with ipsecconf or 
>the old school ifconfig.

Not sure about the old school way. I created the hostname.iptun0- and the 
ipsecinit.conf file.
Since Juniper support asked me to reduce the Tunnel-IPS to /32, I added 
192.168.100.2 255.255.255.255 to /etc/netmasks, but a 

svcadm restart svc:/network/physical:default

then showed the netmask for tun0 as /24, so I manually ran 

ifconfig ip.tun0 192.168.100.2/32

to get the mask right:


r...@kunde003-wan:~# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 
index 1
        inet 127.0.0.1 netmask ff000000
dmz103001: flags=201100843<UP,BROADCAST,RUNNING,MULTICAST,ROUTER,IPv4,CoS> mtu 
1500 index 2
        inet 82.100.231.233 netmask fffffff8 broadcast 82.100.231.239
        ether 0:21:28:75:b9:4c
ip.tun0: flags=11008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,ROUTER,IPv4> mtu 
1480 index 3
        inet tunnel src 213.172.123.138 tunnel dst 82.100.214.138
        tunnel security settings  -->  use 'ipsecconf -ln -i ip.tun0'
        tunnel hop limit 60
        inet 192.168.100.2 --> 192.168.100.1 netmask ffffffff
ip.tun1: 
flags=11028d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,UNNUMBERED,ROUTER,IPv4> 
mtu 1480 index 4
        inet tunnel src 213.172.123.138 tunnel dst 82.102.214.138
        tunnel security settings  -->  use 'ipsecconf -ln -i ip.tun1'
        tunnel hop limit 60
        inet 82.100.231.233 --> 103.0.0.33 netmask fffffff8
wan3001: 
flags=201108843<UP,BROADCAST,RUNNING,MULTICAST,PRIVATE,ROUTER,IPv4,CoS> mtu 
1500 index 5
        inet 213.172.123.138 netmask fffffff8 broadcast 213.172.123.143
        ether 0:21:28:75:b9:4b
lo0: flags=2002000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv6,VIRTUAL> mtu 8252 
index 1
        inet6 ::1/128

r...@kunde003-wan:~# cat /etc/hostname.ip.tun0
192.168.100.2 192.168.100.1 tsrc 213.172.123.138 tdst 82.100.214.138 router up
r...@kunde003-wan:~# cat /etc/inet/ipsecinit.conf
{tunnel ip.tun0 negotiate tunnel laddr 0.0.0.0/0 raddr 192.168.100.0/30} ipsec 
{encr_algs 3des encr_auth_algs sha1 sa shared}
{tunnel ip.tun1 negotiate tunnel laddr 0.0.0.0/0 raddr 103.0.0.0/24} ipsec 
{encr_algs 3des encr_auth_algs sha1 sa shared}


The current config doesn't reflect my actual requirement (i.e. reaching the LAN 
120.0.0.0/24 behind the remote router).
For now I'm concerned to get OSPF working, hence I tailored the ipsec config to 
guarantee reachability between the tunnel interfaces.


Would you need any additional configs / command outputs / debugs?

Thanks for giving it a shot,

Kai

_______________________________________________
networking-discuss mailing list
[email protected]

Reply via email to