Re: [OpenIndiana-discuss] Cisco IPSec VPN
Hi all, Ok with match=/dev/tun and match=/dev/tap in zone configuration, it working like a charm. I can connect to a Cisco VPN from the NGZ and keep the OpenVPN server running (and serving clients) in the GZ. Thanks for your great work. Something that I notice is when I stop the openconnect process, it (vpnc?) doesn't restore the /etc/resolv.conf which ends up in a non functional name resolution in the NGZ. I'll try to check if there is a way to tell "before quitting, restore resolv.conf" Superb! Best regards. Ben - Mail original - De: "Jim Klimov" <jimkli...@cos.ru> À: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org>, "Adam Števko" <adam.ste...@gmail.com> Envoyé: Dimanche 27 Novembre 2016 06:52:59 Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN 26 ноября 2016 г. 14:46:17 CET, "Adam Števko" <adam.ste...@gmail.com> пишет: >Hi, > >yes, they can. However, you can’t use the same tun device name e.g. >tun0 in the GZ and NGZ as tun module is not zone aware. See >https://github.com/joyent/smartos-live/issues/626 ><https://github.com/joyent/smartos-live/issues/626>. > >Adam > >> On Nov 25, 2016, at 8:15 AM, Jim Klimov <jimkli...@cos.ru> wrote: >> >> 24 ноября 2016 г. 23:30:06 CET, benta...@chez.com пишет: >>> Ok, I see. >>> If I follow the SFE way, could I have an issue running OpenVPN >server >>> over TUN on GZ and wanting to run Openconnect client over TUN in NGZ >? >>> Like the device /dev/tun is both used in GZ and NGZ. >>> >>> Best regards. >>> Ben >>> >>> - Mail original - >>> De: "Thomas Wagner" <tom-oi-disc...@tom.bn-ulm.de> >>> À: "Discussion list for OpenIndiana" >>> <openindiana-discuss@openindiana.org> >>> Envoyé: Vendredi 25 Novembre 2016 10:16:51 >>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN >>> >>> For SFE we've solved this by just adding the driver modules to the >NGZ >>> as dead files. So there is no install contraint regarding >zones-type. >>> That way the IPS dependency just matches in any case. >>> >>> I use a driver match rule in the NGZ to get tun passed through: >>> >>> >>> Thomas >>> >>> On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote: >>>> By the way, is there a way to install openconnect in a zone ? >>>> I can't seem to get it running because tap driver doesn't want to >>> install : >>>> >>>> vpnzone# pkg install openconnect >>>> Creating Plan (Running solver): | >>>> pkg install: No matching version of network/openconnect can be >>> installed: >>>> Reject: >>> >pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z >>>> Reason: No version matching 'require' dependency >>> driver/network/tap can be installed >>>> >>>>Reject: >>> >pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z >>>>Reason: This version is excluded by installed incorporation >>> consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919 >>>>Reject: >>> >pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z >>>> >>> >pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z >>>>Reason: Package supports image variant >>> variant.opensolaris.zone=[global] but doesn't support this image's >>> variant.opensolaris.zone (nonglobal) >>>> >>>> Reject: >>> >pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z >>>> Reason: No version matching 'require' dependency >>> driver/network/tap can be installed >>>> >>>> >>>> Best regards. >>>> Ben >>>> >>>> - Mail original - >>>> De: "Jim Klimov" <jimkli...@cos.ru> >>>> À: "Discussion list for OpenIndiana" >>> <openindiana-discuss@openindiana.org>, "Andrey Sokolov" >>> <kere...@solaris.kirov.ru> >>>> Envoyé: Vendredi 25 Novembre 2016 07:07:36 >>>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN >>>> >>>> 16 ноÑ�брÑ� 2016 г. 14:02:44 CET, Andrey Sokolov >>> <kere...@solaris.kirov.ru> пишет: >>>
Re: [OpenIndiana-discuss] Cisco IPSec VPN
26 ноября 2016 г. 14:46:17 CET, "Adam Števko" <adam.ste...@gmail.com> пишет: >Hi, > >yes, they can. However, you can’t use the same tun device name e.g. >tun0 in the GZ and NGZ as tun module is not zone aware. See >https://github.com/joyent/smartos-live/issues/626 ><https://github.com/joyent/smartos-live/issues/626>. > >Adam > >> On Nov 25, 2016, at 8:15 AM, Jim Klimov <jimkli...@cos.ru> wrote: >> >> 24 ноября 2016 г. 23:30:06 CET, benta...@chez.com пишет: >>> Ok, I see. >>> If I follow the SFE way, could I have an issue running OpenVPN >server >>> over TUN on GZ and wanting to run Openconnect client over TUN in NGZ >? >>> Like the device /dev/tun is both used in GZ and NGZ. >>> >>> Best regards. >>> Ben >>> >>> - Mail original - >>> De: "Thomas Wagner" <tom-oi-disc...@tom.bn-ulm.de> >>> À: "Discussion list for OpenIndiana" >>> <openindiana-discuss@openindiana.org> >>> Envoyé: Vendredi 25 Novembre 2016 10:16:51 >>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN >>> >>> For SFE we've solved this by just adding the driver modules to the >NGZ >>> as dead files. So there is no install contraint regarding >zones-type. >>> That way the IPS dependency just matches in any case. >>> >>> I use a driver match rule in the NGZ to get tun passed through: >>> >>> >>> Thomas >>> >>> On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote: >>>> By the way, is there a way to install openconnect in a zone ? >>>> I can't seem to get it running because tap driver doesn't want to >>> install : >>>> >>>> vpnzone# pkg install openconnect >>>> Creating Plan (Running solver): | >>>> pkg install: No matching version of network/openconnect can be >>> installed: >>>> Reject: >>> >pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z >>>> Reason: No version matching 'require' dependency >>> driver/network/tap can be installed >>>> >>>>Reject: >>> >pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z >>>>Reason: This version is excluded by installed incorporation >>> consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919 >>>>Reject: >>> >pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z >>>> >>> >pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z >>>>Reason: Package supports image variant >>> variant.opensolaris.zone=[global] but doesn't support this image's >>> variant.opensolaris.zone (nonglobal) >>>> >>>> Reject: >>> >pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z >>>> Reason: No version matching 'require' dependency >>> driver/network/tap can be installed >>>> >>>> >>>> Best regards. >>>> Ben >>>> >>>> - Mail original - >>>> De: "Jim Klimov" <jimkli...@cos.ru> >>>> À: "Discussion list for OpenIndiana" >>> <openindiana-discuss@openindiana.org>, "Andrey Sokolov" >>> <kere...@solaris.kirov.ru> >>>> Envoyé: Vendredi 25 Novembre 2016 07:07:36 >>>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN >>>> >>>> 16 ноÑ�брÑ� 2016 г. 14:02:44 CET, Andrey Sokolov >>> <kere...@solaris.kirov.ru> пишет: >>>>> Hi! >>>>> I use >>>> >>>> >http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z >>>>> >>>>> 2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>: >>>>> >>>>>> Hi all, >>>>>> >>>>>> I am faced with a prospect of connecting to a remote network >>> behind >>>>> Cisco >>>>>> IPSec VPN (the one with user, password, group and shared keys; >>> will >>>>> be >>>>>> practically trying sometime soon this week). Should I expect it >to >>>>> work in >>>>>> OI Hipster out of the box? Are there docs/blogs on it, or would >>&g
Re: [OpenIndiana-discuss] Cisco IPSec VPN
Hi, yes, they can. However, you can’t use the same tun device name e.g. tun0 in the GZ and NGZ as tun module is not zone aware. See https://github.com/joyent/smartos-live/issues/626 <https://github.com/joyent/smartos-live/issues/626>. Adam > On Nov 25, 2016, at 8:15 AM, Jim Klimov <jimkli...@cos.ru> wrote: > > 24 ноября 2016 г. 23:30:06 CET, benta...@chez.com пишет: >> Ok, I see. >> If I follow the SFE way, could I have an issue running OpenVPN server >> over TUN on GZ and wanting to run Openconnect client over TUN in NGZ ? >> Like the device /dev/tun is both used in GZ and NGZ. >> >> Best regards. >> Ben >> >> - Mail original - >> De: "Thomas Wagner" <tom-oi-disc...@tom.bn-ulm.de> >> À: "Discussion list for OpenIndiana" >> <openindiana-discuss@openindiana.org> >> Envoyé: Vendredi 25 Novembre 2016 10:16:51 >> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN >> >> For SFE we've solved this by just adding the driver modules to the NGZ >> as dead files. So there is no install contraint regarding zones-type. >> That way the IPS dependency just matches in any case. >> >> I use a driver match rule in the NGZ to get tun passed through: >> >> >> Thomas >> >> On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote: >>> By the way, is there a way to install openconnect in a zone ? >>> I can't seem to get it running because tap driver doesn't want to >> install : >>> >>> vpnzone# pkg install openconnect >>> Creating Plan (Running solver): | >>> pkg install: No matching version of network/openconnect can be >> installed: >>> Reject: >> pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z >>> Reason: No version matching 'require' dependency >> driver/network/tap can be installed >>> >>>Reject: >> pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z >>>Reason: This version is excluded by installed incorporation >> consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919 >>>Reject: >> pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z >>> >> pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z >>>Reason: Package supports image variant >> variant.opensolaris.zone=[global] but doesn't support this image's >> variant.opensolaris.zone (nonglobal) >>> >>> Reject: >> pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z >>> Reason: No version matching 'require' dependency >> driver/network/tap can be installed >>> >>> >>> Best regards. >>> Ben >>> >>> - Mail original - >>> De: "Jim Klimov" <jimkli...@cos.ru> >>> À: "Discussion list for OpenIndiana" >> <openindiana-discuss@openindiana.org>, "Andrey Sokolov" >> <kere...@solaris.kirov.ru> >>> Envoyé: Vendredi 25 Novembre 2016 07:07:36 >>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN >>> >>> 16 ноÑ�брÑ� 2016 г. 14:02:44 CET, Andrey Sokolov >> <kere...@solaris.kirov.ru> пишет: >>>> Hi! >>>> I use >>> >>> http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z >>>> >>>> 2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>: >>>> >>>>> Hi all, >>>>> >>>>> I am faced with a prospect of connecting to a remote network >> behind >>>> Cisco >>>>> IPSec VPN (the one with user, password, group and shared keys; >> will >>>> be >>>>> practically trying sometime soon this week). Should I expect it to >>>> work in >>>>> OI Hipster out of the box? Are there docs/blogs on it, or would >>>> Oracle docs >>>>> I found so far (some hints about conf files and then ipadm tun >>>> commands) be >>>>> relevant here? Or should I try some other OS right away? >>>>> >>>>> TIA, Jim >>>>> -- >>>>> Typos courtesy of K-9 Mail on my Samsung Android >>>>> >>>>> ___ >>>>> openindiana-discuss mailing list >>>>
Re: [OpenIndiana-discuss] Cisco IPSec VPN
25 ноября 2016 г. 8:15:40 CET, Jim Klimov <jimkli...@cos.ru> пишет: >24 ноября 2016 г. 23:30:06 CET, benta...@chez.com пишет: >>Ok, I see. >>If I follow the SFE way, could I have an issue running OpenVPN server >>over TUN on GZ and wanting to run Openconnect client over TUN in NGZ ? >>Like the device /dev/tun is both used in GZ and NGZ. >> >>Best regards. >>Ben >> >>- Mail original - >>De: "Thomas Wagner" <tom-oi-disc...@tom.bn-ulm.de> >>À: "Discussion list for OpenIndiana" >><openindiana-discuss@openindiana.org> >>Envoyé: Vendredi 25 Novembre 2016 10:16:51 >>Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN >> >>For SFE we've solved this by just adding the driver modules to the NGZ >>as dead files. So there is no install contraint regarding zones-type. >>That way the IPS dependency just matches in any case. >> >>I use a driver match rule in the NGZ to get tun passed through: >> >> >>Thomas >> >>On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote: >>> By the way, is there a way to install openconnect in a zone ? >>> I can't seem to get it running because tap driver doesn't want to >>install : >>> >>> vpnzone# pkg install openconnect >>> Creating Plan (Running solver): | >>> pkg install: No matching version of network/openconnect can be >>installed: >>> Reject: >>pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z >>> Reason: No version matching 'require' dependency >>driver/network/tap can be installed >>> >>> Reject: >>pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z >>> Reason: This version is excluded by installed incorporation >>consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919 >>> Reject: >>pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z >>> >>pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z >>> Reason: Package supports image variant >>variant.opensolaris.zone=[global] but doesn't support this image's >>variant.opensolaris.zone (nonglobal) >>> >>> Reject: >>pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z >>> Reason: No version matching 'require' dependency >>driver/network/tap can be installed >>> >>> >>> Best regards. >>> Ben >>> >>> - Mail original - >>> De: "Jim Klimov" <jimkli...@cos.ru> >>> À: "Discussion list for OpenIndiana" >><openindiana-discuss@openindiana.org>, "Andrey Sokolov" >><kere...@solaris.kirov.ru> >>> Envoyé: Vendredi 25 Novembre 2016 07:07:36 >>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN >>> >>> 16 ноÑ�брÑ� 2016 г. 14:02:44 CET, Andrey Sokolov >><kere...@solaris.kirov.ru> пишет: >>> >Hi! >>> >I use >>> >>>http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z >>> > >>> >2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>: >>> > >>> >> Hi all, >>> >> >>> >> I am faced with a prospect of connecting to a remote network >>behind >>> >Cisco >>> >> IPSec VPN (the one with user, password, group and shared keys; >>will >>> >be >>> >> practically trying sometime soon this week). Should I expect it >to >>> >work in >>> >> OI Hipster out of the box? Are there docs/blogs on it, or would >>> >Oracle docs >>> >> I found so far (some hints about conf files and then ipadm tun >>> >commands) be >>> >> relevant here? Or should I try some other OS right away? >>> >> >>> >> TIA, Jim >>> >> -- >>> >> Typos courtesy of K-9 Mail on my Samsung Android >>> >> >>> >> ___ >>> >> openindiana-discuss mailing list >>> >> openindiana-discuss@openindiana.org >>> >> https://openindiana.org/mailman/listinfo/openindiana-discuss >>> >> >>> >___ >>> >openindiana-discuss mailing list >>> &
Re: [OpenIndiana-discuss] Cisco IPSec VPN
I'm sure the tun pseudo interface "tun" can take multiple clients using it at the same time. I see that "tun" interface as an interface which can send and recive packets through an API which is convenient to e.g. openconnect, openvpn and so on. Actual packages leave and enter the system through the regular interaces of the global zone. This is the same as if a shared or an exclusive interface would be used with a NGZ. Only exception I can see is, if you assign an exclusive interface to a NGZ; then this interface is out of reach for the tun interface. But this would need an investigation to be sure. And it would not change the game, as its the already crypted stuff going over the wire. Regards, Thomas On Thu, Nov 24, 2016 at 11:30:06PM +0100, benta...@chez.com wrote: > Ok, I see. > If I follow the SFE way, could I have an issue running OpenVPN server over > TUN on GZ and wanting to run Openconnect client over TUN in NGZ ? Like the > device /dev/tun is both used in GZ and NGZ. > > Best regards. > Ben > > - Mail original - > De: "Thomas Wagner" <tom-oi-disc...@tom.bn-ulm.de> > Ã: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org> > Envoyé: Vendredi 25 Novembre 2016 10:16:51 > Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN > > For SFE we've solved this by just adding the driver modules to the NGZ > as dead files. So there is no install contraint regarding zones-type. > That way the IPS dependency just matches in any case. > > I use a driver match rule in the NGZ to get tun passed through: > > > Thomas > > On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote: > > By the way, is there a way to install openconnect in a zone ? > > I can't seem to get it running because tap driver doesn't want to install : > > > > vpnzone# pkg install openconnect > > Creating Plan (Running solver): | > > pkg install: No matching version of network/openconnect can be installed: > > Reject: > > pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z > > Reason: No version matching 'require' dependency driver/network/tap can > > be installed > > > > Reject: > > pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z > > Reason: This version is excluded by installed incorporation > > consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919 > > Reject: > > pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z > > > > pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z > > Reason: Package supports image variant > > variant.opensolaris.zone=[global] but doesn't support this image's > > variant.opensolaris.zone (nonglobal) > > > > Reject: > > pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z > > Reason: No version matching 'require' dependency driver/network/tap can > > be installed > > > > > > Best regards. > > Ben > > > > - Mail original - > > De: "Jim Klimov" <jimkli...@cos.ru> > > Ãâ¬: "Discussion list for OpenIndiana" > > <openindiana-discuss@openindiana.org>, "Andrey Sokolov" > > <kere...@solaris.kirov.ru> > > Envoyé: Vendredi 25 Novembre 2016 07:07:36 > > Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN > > > > 16 ýþÃ�ñÃâ¬Ã� 2016àó. 14:02:44 CET, Andrey Sokolov > > <kere...@solaris.kirov.ru> ÿøÃËõÃâ: > > >Hi! > > >I use > > >http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z > > > > > >2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>: > > > > > >> Hi all, > > >> > > >> I am faced with a prospect of connecting to a remote network behind > > >Cisco > > >> IPSec VPN (the one with user, password, group and shared keys; will > > >be > > >> practically trying sometime soon this week). Should I expect it to > > >work in > > >> OI Hipster out of the box? Are there docs/blogs on it, or would > > >Oracle docs > > >> I found so far (some hints about conf files and then ipadm tun > > >commands) be > > >> relevant here? Or should I try some other OS right away? > > >> > > >> TIA, Jim > > >> -- > > >> Typos courtesy of K-9 Mai
Re: [OpenIndiana-discuss] Cisco IPSec VPN
Ok, I see. If I follow the SFE way, could I have an issue running OpenVPN server over TUN on GZ and wanting to run Openconnect client over TUN in NGZ ? Like the device /dev/tun is both used in GZ and NGZ. Best regards. Ben - Mail original - De: "Thomas Wagner" <tom-oi-disc...@tom.bn-ulm.de> À: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org> Envoyé: Vendredi 25 Novembre 2016 10:16:51 Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN For SFE we've solved this by just adding the driver modules to the NGZ as dead files. So there is no install contraint regarding zones-type. That way the IPS dependency just matches in any case. I use a driver match rule in the NGZ to get tun passed through: Thomas On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote: > By the way, is there a way to install openconnect in a zone ? > I can't seem to get it running because tap driver doesn't want to install : > > vpnzone# pkg install openconnect > Creating Plan (Running solver): | > pkg install: No matching version of network/openconnect can be installed: > Reject: > pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z > Reason: No version matching 'require' dependency driver/network/tap can be > installed > > Reject: > pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z > Reason: This version is excluded by installed incorporation > consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919 > Reject: > pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z > > pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z > Reason: Package supports image variant variant.opensolaris.zone=[global] > but doesn't support this image's variant.opensolaris.zone (nonglobal) > > Reject: > pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z > Reason: No version matching 'require' dependency driver/network/tap can be > installed > > > Best regards. > Ben > > - Mail original - > De: "Jim Klimov" <jimkli...@cos.ru> > À: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org>, > "Andrey Sokolov" <kere...@solaris.kirov.ru> > Envoyé: Vendredi 25 Novembre 2016 07:07:36 > Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN > > 16 ноÑ�брÑ� 2016 г. 14:02:44 CET, Andrey Sokolov > <kere...@solaris.kirov.ru> пишет: > >Hi! > >I use > >http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z > > > >2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>: > > > >> Hi all, > >> > >> I am faced with a prospect of connecting to a remote network behind > >Cisco > >> IPSec VPN (the one with user, password, group and shared keys; will > >be > >> practically trying sometime soon this week). Should I expect it to > >work in > >> OI Hipster out of the box? Are there docs/blogs on it, or would > >Oracle docs > >> I found so far (some hints about conf files and then ipadm tun > >commands) be > >> relevant here? Or should I try some other OS right away? > >> > >> TIA, Jim > >> -- > >> Typos courtesy of K-9 Mail on my Samsung Android > >> > >> ___ > >> openindiana-discuss mailing list > >> openindiana-discuss@openindiana.org > >> https://openindiana.org/mailman/listinfo/openindiana-discuss > >> > >___ > >openindiana-discuss mailing list > >openindiana-discuss@openindiana.org > >https://openindiana.org/mailman/listinfo/openindiana-discuss > > Thanks, > > In the end vpnc did work for me; also I saw that openconnect could connect to > Juniper/Cisco SSL VPNs... so I couldn't resist and now both are packaged in > OI/Hipster userland ;) > > Thanks, > Jim > -- > Typos courtesy of K-9 Mail on my Samsung Android > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > https://openindiana.org/mailman/listinfo/openindiana-discuss > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > https://openindiana.org/mailman/listinfo/openindiana-discuss > -- -- Thomas Wagner
Re: [OpenIndiana-discuss] Cisco IPSec VPN
For SFE we've solved this by just adding the driver modules to the NGZ as dead files. So there is no install contraint regarding zones-type. That way the IPS dependency just matches in any case. I use a driver match rule in the NGZ to get tun passed through: Thomas On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote: > By the way, is there a way to install openconnect in a zone ? > I can't seem to get it running because tap driver doesn't want to install : > > vpnzone# pkg install openconnect > Creating Plan (Running solver): | > pkg install: No matching version of network/openconnect can be installed: > Reject: > pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z > Reason: No version matching 'require' dependency driver/network/tap can be > installed > > Reject: > pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z > Reason: This version is excluded by installed incorporation > consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919 > Reject: > pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z > > pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z > Reason: Package supports image variant variant.opensolaris.zone=[global] > but doesn't support this image's variant.opensolaris.zone (nonglobal) > > Reject: > pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z > Reason: No version matching 'require' dependency driver/network/tap can be > installed > > > Best regards. > Ben > > - Mail original - > De: "Jim Klimov" <jimkli...@cos.ru> > Ã: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org>, > "Andrey Sokolov" <kere...@solaris.kirov.ru> > Envoyé: Vendredi 25 Novembre 2016 07:07:36 > Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN > > 16 ноÑбÑÑ 2016 г. 14:02:44 CET, Andrey Sokolov > <kere...@solaris.kirov.ru> пиÑеÑ: > >Hi! > >I use > >http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z > > > >2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>: > > > >> Hi all, > >> > >> I am faced with a prospect of connecting to a remote network behind > >Cisco > >> IPSec VPN (the one with user, password, group and shared keys; will > >be > >> practically trying sometime soon this week). Should I expect it to > >work in > >> OI Hipster out of the box? Are there docs/blogs on it, or would > >Oracle docs > >> I found so far (some hints about conf files and then ipadm tun > >commands) be > >> relevant here? Or should I try some other OS right away? > >> > >> TIA, Jim > >> -- > >> Typos courtesy of K-9 Mail on my Samsung Android > >> > >> ___ > >> openindiana-discuss mailing list > >> openindiana-discuss@openindiana.org > >> https://openindiana.org/mailman/listinfo/openindiana-discuss > >> > >___ > >openindiana-discuss mailing list > >openindiana-discuss@openindiana.org > >https://openindiana.org/mailman/listinfo/openindiana-discuss > > Thanks, > > In the end vpnc did work for me; also I saw that openconnect could connect to > Juniper/Cisco SSL VPNs... so I couldn't resist and now both are packaged in > OI/Hipster userland ;) > > Thanks, > Jim > -- > Typos courtesy of K-9 Mail on my Samsung Android > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > https://openindiana.org/mailman/listinfo/openindiana-discuss > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > https://openindiana.org/mailman/listinfo/openindiana-discuss > -- -- Thomas Wagner Service rund um UNIX(TM), Wagner Network Services, Thomas Wagner Solaris(TM), Linux(TM)Eschenweg 21, 89174 Altheim, Germany Windows(TM) TEL: +49-731-9807799, FAX: +49-731-9807711 Telekommunikation, LAN, MOBILE/CELL: +49-171-6135989 Internet-Service, Elektronik EMAIL: wag...@wagner-net.com ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Cisco IPSec VPN
By the way, is there a way to install openconnect in a zone ? I can't seem to get it running because tap driver doesn't want to install : vpnzone# pkg install openconnect Creating Plan (Running solver): | pkg install: No matching version of network/openconnect can be installed: Reject: pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z Reason: No version matching 'require' dependency driver/network/tap can be installed Reject: pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z Reason: This version is excluded by installed incorporation consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919 Reject: pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z Reason: Package supports image variant variant.opensolaris.zone=[global] but doesn't support this image's variant.opensolaris.zone (nonglobal) Reject: pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z Reason: No version matching 'require' dependency driver/network/tap can be installed Best regards. Ben - Mail original - De: "Jim Klimov" <jimkli...@cos.ru> À: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org>, "Andrey Sokolov" <kere...@solaris.kirov.ru> Envoyé: Vendredi 25 Novembre 2016 07:07:36 Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN 16 ноября 2016 г. 14:02:44 CET, Andrey Sokolov <kere...@solaris.kirov.ru> пишет: >Hi! >I use >http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z > >2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>: > >> Hi all, >> >> I am faced with a prospect of connecting to a remote network behind >Cisco >> IPSec VPN (the one with user, password, group and shared keys; will >be >> practically trying sometime soon this week). Should I expect it to >work in >> OI Hipster out of the box? Are there docs/blogs on it, or would >Oracle docs >> I found so far (some hints about conf files and then ipadm tun >commands) be >> relevant here? Or should I try some other OS right away? >> >> TIA, Jim >> -- >> Typos courtesy of K-9 Mail on my Samsung Android >> >> ___ >> openindiana-discuss mailing list >> openindiana-discuss@openindiana.org >> https://openindiana.org/mailman/listinfo/openindiana-discuss >> >___ >openindiana-discuss mailing list >openindiana-discuss@openindiana.org >https://openindiana.org/mailman/listinfo/openindiana-discuss Thanks, In the end vpnc did work for me; also I saw that openconnect could connect to Juniper/Cisco SSL VPNs... so I couldn't resist and now both are packaged in OI/Hipster userland ;) Thanks, Jim -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Cisco IPSec VPN
À jeu. nov. 24 19:07:36 2016 GMT+0100, Jim Klimov a écrit : > 16 ноября 2016 г. 14:02:44 CET, Andrey Sokolov> пишет: > >Hi! > >I use > >http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z > > > >2016-11-14 15:35 GMT+03:00 Jim Klimov : > > > >> Hi all, > >> > >> I am faced with a prospect of connecting to a remote network behind > >Cisco > >> IPSec VPN (the one with user, password, group and shared keys; will > >be > >> practically trying sometime soon this week). Should I expect it to > >work in > >> OI Hipster out of the box? Are there docs/blogs on it, or would > >Oracle docs > >> I found so far (some hints about conf files and then ipadm tun > >commands) be > >> relevant here? Or should I try some other OS right away? > >> > >> TIA, Jim > >> -- > >> Typos courtesy of K-9 Mail on my Samsung Android > >> > >> ___ > >> openindiana-discuss mailing list > >> openindiana-discuss@openindiana.org > >> https://openindiana.org/mailman/listinfo/openindiana-discuss > >> > >___ > >openindiana-discuss mailing list > >openindiana-discuss@openindiana.org > >https://openindiana.org/mailman/listinfo/openindiana-discuss > > Thanks, > > In the end vpnc did work for me; also I saw that openconnect could connect to > Juniper/Cisco SSL VPNs... so I couldn't resist and now both are packaged in > OI/Hipster userland ;) \o/ > > Thanks, > Jim > -- > Typos courtesy of K-9 Mail on my Samsung Android > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > https://openindiana.org/mailman/listinfo/openindiana-discuss > -- Thanks for sailing Jolla :) ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Cisco IPSec VPN
16 ноября 2016 г. 14:02:44 CET, Andrey Sokolovпишет: >Hi! >I use >http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z > >2016-11-14 15:35 GMT+03:00 Jim Klimov : > >> Hi all, >> >> I am faced with a prospect of connecting to a remote network behind >Cisco >> IPSec VPN (the one with user, password, group and shared keys; will >be >> practically trying sometime soon this week). Should I expect it to >work in >> OI Hipster out of the box? Are there docs/blogs on it, or would >Oracle docs >> I found so far (some hints about conf files and then ipadm tun >commands) be >> relevant here? Or should I try some other OS right away? >> >> TIA, Jim >> -- >> Typos courtesy of K-9 Mail on my Samsung Android >> >> ___ >> openindiana-discuss mailing list >> openindiana-discuss@openindiana.org >> https://openindiana.org/mailman/listinfo/openindiana-discuss >> >___ >openindiana-discuss mailing list >openindiana-discuss@openindiana.org >https://openindiana.org/mailman/listinfo/openindiana-discuss Thanks, In the end vpnc did work for me; also I saw that openconnect could connect to Juniper/Cisco SSL VPNs... so I couldn't resist and now both are packaged in OI/Hipster userland ;) Thanks, Jim -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Cisco IPSec VPN
Please note, that pkg.openindiana.org/sfe doesn't get updats since years. We just procastinate a full deprecation. So this means, if someone wants to take that over, then get in contact. But there is no strong need for this, as the party is now athttp://sfe.opencsw.org An automatic build system updates the packages and (usually) there are much more uptodate versions. It contains LibreOffice4 as well. The source for the build recipes is the same, "spec-files-extra". About VPN, I'm using openconnect (and openvpn) on a daily basis. If you need an updated version of vpnc, then please drop me a note. Regards, Thomas On Wed, Nov 16, 2016 at 04:02:44PM +0300, Andrey Sokolov wrote: > Hi! > I use > http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z > > 2016-11-14 15:35 GMT+03:00 Jim Klimov: > > > Hi all, > > > > I am faced with a prospect of connecting to a remote network behind Cisco > > IPSec VPN (the one with user, password, group and shared keys; will be > > practically trying sometime soon this week). Should I expect it to work in > > OI Hipster out of the box? Are there docs/blogs on it, or would Oracle docs > > I found so far (some hints about conf files and then ipadm tun commands) be > > relevant here? Or should I try some other OS right away? ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Cisco IPSec VPN
Hi! I use http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z 2016-11-14 15:35 GMT+03:00 Jim Klimov: > Hi all, > > I am faced with a prospect of connecting to a remote network behind Cisco > IPSec VPN (the one with user, password, group and shared keys; will be > practically trying sometime soon this week). Should I expect it to work in > OI Hipster out of the box? Are there docs/blogs on it, or would Oracle docs > I found so far (some hints about conf files and then ipadm tun commands) be > relevant here? Or should I try some other OS right away? > > TIA, Jim > -- > Typos courtesy of K-9 Mail on my Samsung Android > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > https://openindiana.org/mailman/listinfo/openindiana-discuss > ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Cisco IPSec VPN
14 ноября 2016 г. 14:32:31 CET, the outsider <openindi...@out-side.nl> пишет: >Not a single problem. > >I am using it 24/7 in the same setup. >Just put your OI server in the network and set the gateway to the cisco >VPN >device.. > >-Oorspronkelijk bericht- >Van: Jim Klimov [mailto:jimkli...@cos.ru] >Verzonden: maandag 14 november 2016 13:35 >Aan: OI-Discuss <openindiana-discuss@openindiana.org> >Onderwerp: [OpenIndiana-discuss] Cisco IPSec VPN > >Hi all, > >I am faced with a prospect of connecting to a remote network behind >Cisco >IPSec VPN (the one with user, password, group and shared keys; will be >practically trying sometime soon this week). Should I expect it to work >in >OI Hipster out of the box? Are there docs/blogs on it, or would Oracle >docs >I found so far (some hints about conf files and then ipadm tun >commands) be >relevant here? Or should I try some other OS right away? > >TIA, Jim >-- >Typos courtesy of K-9 Mail on my Samsung Android > >___ >openindiana-discuss mailing list >openindiana-discuss@openindiana.org >https://openindiana.org/mailman/listinfo/openindiana-discuss > > >___ >openindiana-discuss mailing list >openindiana-discuss@openindiana.org >https://openindiana.org/mailman/listinfo/openindiana-discuss I'm on the other side, if I get your setup correctly - working as an (OI hopefully) client connnecting to servers behind the cisco. -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Cisco IPSec VPN
Unfortunately I had to resort to "StrongSwan", which meant Linux or BSD ... It''s a good product though and was very easy to configure. Jon On 14 November 2016 at 13:32, the outsider <openindi...@out-side.nl> wrote: > Not a single problem. > > I am using it 24/7 in the same setup. > Just put your OI server in the network and set the gateway to the cisco VPN > device.. > > -Oorspronkelijk bericht- > Van: Jim Klimov [mailto:jimkli...@cos.ru] > Verzonden: maandag 14 november 2016 13:35 > Aan: OI-Discuss <openindiana-discuss@openindiana.org> > Onderwerp: [OpenIndiana-discuss] Cisco IPSec VPN > > Hi all, > > I am faced with a prospect of connecting to a remote network behind Cisco > IPSec VPN (the one with user, password, group and shared keys; will be > practically trying sometime soon this week). Should I expect it to work in > OI Hipster out of the box? Are there docs/blogs on it, or would Oracle docs > I found so far (some hints about conf files and then ipadm tun commands) be > relevant here? Or should I try some other OS right away? > > TIA, Jim > -- > Typos courtesy of K-9 Mail on my Samsung Android > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > https://openindiana.org/mailman/listinfo/openindiana-discuss > > > ___ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > https://openindiana.org/mailman/listinfo/openindiana-discuss > ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] Cisco IPSec VPN
Not a single problem. I am using it 24/7 in the same setup. Just put your OI server in the network and set the gateway to the cisco VPN device.. -Oorspronkelijk bericht- Van: Jim Klimov [mailto:jimkli...@cos.ru] Verzonden: maandag 14 november 2016 13:35 Aan: OI-Discuss <openindiana-discuss@openindiana.org> Onderwerp: [OpenIndiana-discuss] Cisco IPSec VPN Hi all, I am faced with a prospect of connecting to a remote network behind Cisco IPSec VPN (the one with user, password, group and shared keys; will be practically trying sometime soon this week). Should I expect it to work in OI Hipster out of the box? Are there docs/blogs on it, or would Oracle docs I found so far (some hints about conf files and then ipadm tun commands) be relevant here? Or should I try some other OS right away? TIA, Jim -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss
[OpenIndiana-discuss] Cisco IPSec VPN
Hi all, I am faced with a prospect of connecting to a remote network behind Cisco IPSec VPN (the one with user, password, group and shared keys; will be practically trying sometime soon this week). Should I expect it to work in OI Hipster out of the box? Are there docs/blogs on it, or would Oracle docs I found so far (some hints about conf files and then ipadm tun commands) be relevant here? Or should I try some other OS right away? TIA, Jim -- Typos courtesy of K-9 Mail on my Samsung Android ___ openindiana-discuss mailing list openindiana-discuss@openindiana.org https://openindiana.org/mailman/listinfo/openindiana-discuss