Hi, yes, they can. However, you can’t use the same tun device name e.g. tun0 in the GZ and NGZ as tun module is not zone aware. See https://github.com/joyent/smartos-live/issues/626 <https://github.com/joyent/smartos-live/issues/626>.
Adam > On Nov 25, 2016, at 8:15 AM, Jim Klimov <jimkli...@cos.ru> wrote: > > 24 ноября 2016 г. 23:30:06 CET, benta...@chez.com пишет: >> Ok, I see. >> If I follow the SFE way, could I have an issue running OpenVPN server >> over TUN on GZ and wanting to run Openconnect client over TUN in NGZ ? >> Like the device /dev/tun is both used in GZ and NGZ. >> >> Best regards. >> Ben >> >> ----- Mail original ----- >> De: "Thomas Wagner" <tom-oi-disc...@tom.bn-ulm.de> >> À: "Discussion list for OpenIndiana" >> <openindiana-discuss@openindiana.org> >> Envoyé: Vendredi 25 Novembre 2016 10:16:51 >> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN >> >> For SFE we've solved this by just adding the driver modules to the NGZ >> as dead files. So there is no install contraint regarding zones-type. >> That way the IPS dependency just matches in any case. >> >> I use a driver match rule in the NGZ to get tun passed through: >> <device match="/dev/tun"/> >> >> Thomas >> >> On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote: >>> By the way, is there a way to install openconnect in a zone ? >>> I can't seem to get it running because tap driver doesn't want to >> install : >>> >>> vpnzone# pkg install openconnect >>> Creating Plan (Running solver): | >>> pkg install: No matching version of network/openconnect can be >> installed: >>> Reject: >> pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z >>> Reason: No version matching 'require' dependency >> driver/network/tap can be installed >>> ---------------------------------------- >>> Reject: >> pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z >>> Reason: This version is excluded by installed incorporation >> consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919 >>> Reject: >> pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z >>> >> pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z >>> Reason: Package supports image variant >> variant.opensolaris.zone=[global] but doesn't support this image's >> variant.opensolaris.zone (nonglobal) >>> ---------------------------------------- >>> Reject: >> pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z >>> Reason: No version matching 'require' dependency >> driver/network/tap can be installed >>> >>> >>> Best regards. >>> Ben >>> >>> ----- Mail original ----- >>> De: "Jim Klimov" <jimkli...@cos.ru> >>> À: "Discussion list for OpenIndiana" >> <openindiana-discuss@openindiana.org>, "Andrey Sokolov" >> <kere...@solaris.kirov.ru> >>> Envoyé: Vendredi 25 Novembre 2016 07:07:36 >>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN >>> >>> 16 ноÑ�брÑ� 2016 г. 14:02:44 CET, Andrey Sokolov >> <kere...@solaris.kirov.ru> пишет: >>>> Hi! >>>> I use >>> >>> http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z >>>> >>>> 2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>: >>>> >>>>> Hi all, >>>>> >>>>> I am faced with a prospect of connecting to a remote network >> behind >>>> Cisco >>>>> IPSec VPN (the one with user, password, group and shared keys; >> will >>>> be >>>>> practically trying sometime soon this week). Should I expect it to >>>> work in >>>>> OI Hipster out of the box? Are there docs/blogs on it, or would >>>> Oracle docs >>>>> I found so far (some hints about conf files and then ipadm tun >>>> commands) be >>>>> relevant here? Or should I try some other OS right away? >>>>> >>>>> TIA, Jim >>>>> -- >>>>> Typos courtesy of K-9 Mail on my Samsung Android >>>>> >>>>> _______________________________________________ >>>>> openindiana-discuss mailing list >>>>> openindiana-discuss@openindiana.org >>>>> https://openindiana.org/mailman/listinfo/openindiana-discuss >>>>> >>>> _______________________________________________ >>>> openindiana-discuss mailing list >>>> openindiana-discuss@openindiana.org >>>> https://openindiana.org/mailman/listinfo/openindiana-discuss >>> >>> Thanks, >>> >>> In the end vpnc did work for me; also I saw that openconnect could >> connect to Juniper/Cisco SSL VPNs... so I couldn't resist and now both >> are packaged in OI/Hipster userland ;) >>> >>> Thanks, >>> Jim >>> -- >>> Typos courtesy of K-9 Mail on my Samsung Android >>> >>> _______________________________________________ >>> openindiana-discuss mailing list >>> openindiana-discuss@openindiana.org >>> https://openindiana.org/mailman/listinfo/openindiana-discuss >>> >>> _______________________________________________ >>> openindiana-discuss mailing list >>> openindiana-discuss@openindiana.org >>> https://openindiana.org/mailman/listinfo/openindiana-discuss >>> >> >> -- >> -- >> Thomas Wagner >> >> ------------------------------------------------------------------------ >> Service rund um UNIX(TM), Wagner Network Services, Thomas Wagner >> Solaris(TM), Linux(TM) Eschenweg 21, 89174 Altheim, Germany >> Windows(TM) TEL: +49-731-9807799, FAX: >> +49-731-9807711 >> Telekommunikation, LAN, MOBILE/CELL: +49-171-6135989 >> Internet-Service, Elektronik EMAIL: wag...@wagner-net.com >> >> _______________________________________________ >> openindiana-discuss mailing list >> openindiana-discuss@openindiana.org >> https://openindiana.org/mailman/listinfo/openindiana-discuss >> >> _______________________________________________ >> openindiana-discuss mailing list >> openindiana-discuss@openindiana.org >> https://openindiana.org/mailman/listinfo/openindiana-discuss > > I think this coexistence should not be a problem - several programs can call > the tun/tap driver interfaces to spawn and tear down virtual tunX or tapY IP > interfaces. I don't think it matters from which zone the request comes to the > driver, although with 'match' it may be that all zones will see all such NICs > (not sure about IP side). So far I used openvpn in either a gz or ngz on a > single machine, so do not have practice mixing that (would ip stack go crazy > or not?). > > If you can experiment and find this does not blow up to coexist, please write > ;) PRs also welcome, but at least info from the trenches would be good... > > Jim > -- > Typos courtesy of K-9 Mail on my Samsung Android > > _______________________________________________ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > https://openindiana.org/mailman/listinfo/openindiana-discuss _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
