Re: [OpenIndiana-discuss] Cisco IPSec VPN

[bentahyr]

Hi all,
Ok with match=/dev/tun and match=/dev/tap in zone configuration, it working 
like a charm.
I can connect to a Cisco VPN from the NGZ and keep the OpenVPN server running 
(and serving clients) in the GZ.

Thanks for your great work.
Something that I notice is when I stop the openconnect process, it (vpnc?) 
doesn't restore the /etc/resolv.conf which ends up in a non functional name 
resolution in the NGZ.
I'll try to check if there is a way to tell "before quitting, restore 
resolv.conf"


Superb!

Best regards.
Ben

- Mail original -
De: "Jim Klimov" <jimkli...@cos.ru>
À: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org>, 
"Adam Števko" <adam.ste...@gmail.com>
Envoyé: Dimanche 27 Novembre 2016 06:52:59
Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN

26 ноября 2016 г. 14:46:17 CET, "Adam Števko" <adam.ste...@gmail.com> пишет:
>Hi,
>
>yes, they can. However, you can’t use the same tun device name e.g.
>tun0 in the GZ and NGZ as tun module is not zone aware. See
>https://github.com/joyent/smartos-live/issues/626
><https://github.com/joyent/smartos-live/issues/626>.
>
>Adam
>
>> On Nov 25, 2016, at 8:15 AM, Jim Klimov <jimkli...@cos.ru> wrote:
>> 
>> 24 ноября 2016 г. 23:30:06 CET, benta...@chez.com пишет:
>>> Ok, I see.
>>> If I follow the SFE way, could I have an issue running OpenVPN
>server
>>> over TUN on GZ and wanting to run Openconnect client over TUN in NGZ
>?
>>> Like the device /dev/tun is both used in GZ and NGZ.
>>> 
>>> Best regards.
>>> Ben
>>> 
>>> - Mail original -
>>> De: "Thomas Wagner" <tom-oi-disc...@tom.bn-ulm.de>
>>> À: "Discussion list for OpenIndiana"
>>> <openindiana-discuss@openindiana.org>
>>> Envoyé: Vendredi 25 Novembre 2016 10:16:51
>>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
>>> 
>>> For SFE we've solved this by just adding the driver modules to the
>NGZ
>>> as dead files. So there is no install contraint regarding
>zones-type.
>>> That way the IPS dependency just matches in any case.
>>> 
>>> I use a driver match rule in the NGZ to get tun passed through:
>>> 
>>> 
>>> Thomas
>>> 
>>> On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote:
>>>> By the way, is there a way to install openconnect in a zone ?
>>>> I can't seem to get it running because tap driver doesn't want to
>>> install :
>>>> 
>>>> vpnzone# pkg install openconnect
>>>> Creating Plan (Running solver): |
>>>> pkg install: No matching version of network/openconnect can be
>>> installed:
>>>>  Reject: 
>>>
>pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z
>>>>  Reason:  No version matching 'require' dependency
>>> driver/network/tap can be installed
>>>>
>>>>Reject: 
>>>
>pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z
>>>>Reason:  This version is excluded by installed incorporation
>>> consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919
>>>>Reject: 
>>>
>pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z
>>>> 
>>>
>pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z
>>>>Reason:  Package supports image variant
>>> variant.opensolaris.zone=[global] but doesn't support this image's
>>> variant.opensolaris.zone (nonglobal)
>>>>
>>>>  Reject: 
>>>
>pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z
>>>>  Reason:  No version matching 'require' dependency
>>> driver/network/tap can be installed
>>>> 
>>>> 
>>>> Best regards.
>>>> Ben
>>>> 
>>>> - Mail original -
>>>> De: "Jim Klimov" <jimkli...@cos.ru>
>>>> À: "Discussion list for OpenIndiana"
>>> <openindiana-discuss@openindiana.org>, "Andrey Sokolov"
>>> <kere...@solaris.kirov.ru>
>>>> Envoyé: Vendredi 25 Novembre 2016 07:07:36
>>>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
>>>> 
>>>> 16 но�бр� 2016 г. 14:02:44 CET, Andrey Sokolov
>>> <kere...@solaris.kirov.ru> пишет:
>>>

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[Jim Klimov]

26 ноября 2016 г. 14:46:17 CET, "Adam Števko" <adam.ste...@gmail.com> пишет:
>Hi,
>
>yes, they can. However, you can’t use the same tun device name e.g.
>tun0 in the GZ and NGZ as tun module is not zone aware. See
>https://github.com/joyent/smartos-live/issues/626
><https://github.com/joyent/smartos-live/issues/626>.
>
>Adam
>
>> On Nov 25, 2016, at 8:15 AM, Jim Klimov <jimkli...@cos.ru> wrote:
>> 
>> 24 ноября 2016 г. 23:30:06 CET, benta...@chez.com пишет:
>>> Ok, I see.
>>> If I follow the SFE way, could I have an issue running OpenVPN
>server
>>> over TUN on GZ and wanting to run Openconnect client over TUN in NGZ
>?
>>> Like the device /dev/tun is both used in GZ and NGZ.
>>> 
>>> Best regards.
>>> Ben
>>> 
>>> - Mail original -
>>> De: "Thomas Wagner" <tom-oi-disc...@tom.bn-ulm.de>
>>> À: "Discussion list for OpenIndiana"
>>> <openindiana-discuss@openindiana.org>
>>> Envoyé: Vendredi 25 Novembre 2016 10:16:51
>>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
>>> 
>>> For SFE we've solved this by just adding the driver modules to the
>NGZ
>>> as dead files. So there is no install contraint regarding
>zones-type.
>>> That way the IPS dependency just matches in any case.
>>> 
>>> I use a driver match rule in the NGZ to get tun passed through:
>>> 
>>> 
>>> Thomas
>>> 
>>> On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote:
>>>> By the way, is there a way to install openconnect in a zone ?
>>>> I can't seem to get it running because tap driver doesn't want to
>>> install :
>>>> 
>>>> vpnzone# pkg install openconnect
>>>> Creating Plan (Running solver): |
>>>> pkg install: No matching version of network/openconnect can be
>>> installed:
>>>>  Reject: 
>>>
>pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z
>>>>  Reason:  No version matching 'require' dependency
>>> driver/network/tap can be installed
>>>>
>>>>Reject: 
>>>
>pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z
>>>>Reason:  This version is excluded by installed incorporation
>>> consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919
>>>>Reject: 
>>>
>pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z
>>>> 
>>>
>pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z
>>>>Reason:  Package supports image variant
>>> variant.opensolaris.zone=[global] but doesn't support this image's
>>> variant.opensolaris.zone (nonglobal)
>>>>
>>>>  Reject: 
>>>
>pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z
>>>>  Reason:  No version matching 'require' dependency
>>> driver/network/tap can be installed
>>>> 
>>>> 
>>>> Best regards.
>>>> Ben
>>>> 
>>>> - Mail original -
>>>> De: "Jim Klimov" <jimkli...@cos.ru>
>>>> À: "Discussion list for OpenIndiana"
>>> <openindiana-discuss@openindiana.org>, "Andrey Sokolov"
>>> <kere...@solaris.kirov.ru>
>>>> Envoyé: Vendredi 25 Novembre 2016 07:07:36
>>>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
>>>> 
>>>> 16 но�бр� 2016 г. 14:02:44 CET, Andrey Sokolov
>>> <kere...@solaris.kirov.ru> пишет:
>>>>> Hi!
>>>>> I use
>>>> 
>>>>
>http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z
>>>>> 
>>>>> 2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>:
>>>>> 
>>>>>> Hi all,
>>>>>> 
>>>>>> I am faced with a prospect of connecting to a remote network
>>> behind
>>>>> Cisco
>>>>>> IPSec VPN (the one with user, password, group and shared keys;
>>> will
>>>>> be
>>>>>> practically trying sometime soon this week). Should I expect it
>to
>>>>> work in
>>>>>> OI Hipster out of the box? Are there docs/blogs on it, or would
>>&g

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[Adam Števko]

Hi,

yes, they can. However, you can’t use the same tun device name e.g. tun0 in the 
GZ and NGZ as tun module is not zone aware. See 
https://github.com/joyent/smartos-live/issues/626 
<https://github.com/joyent/smartos-live/issues/626>.

Adam

> On Nov 25, 2016, at 8:15 AM, Jim Klimov <jimkli...@cos.ru> wrote:
> 
> 24 ноября 2016 г. 23:30:06 CET, benta...@chez.com пишет:
>> Ok, I see.
>> If I follow the SFE way, could I have an issue running OpenVPN server
>> over TUN on GZ and wanting to run Openconnect client over TUN in NGZ ?
>> Like the device /dev/tun is both used in GZ and NGZ.
>> 
>> Best regards.
>> Ben
>> 
>> - Mail original -
>> De: "Thomas Wagner" <tom-oi-disc...@tom.bn-ulm.de>
>> À: "Discussion list for OpenIndiana"
>> <openindiana-discuss@openindiana.org>
>> Envoyé: Vendredi 25 Novembre 2016 10:16:51
>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
>> 
>> For SFE we've solved this by just adding the driver modules to the NGZ
>> as dead files. So there is no install contraint regarding zones-type.
>> That way the IPS dependency just matches in any case.
>> 
>> I use a driver match rule in the NGZ to get tun passed through:
>> 
>> 
>> Thomas
>> 
>> On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote:
>>> By the way, is there a way to install openconnect in a zone ?
>>> I can't seem to get it running because tap driver doesn't want to
>> install :
>>> 
>>> vpnzone# pkg install openconnect
>>> Creating Plan (Running solver): |
>>> pkg install: No matching version of network/openconnect can be
>> installed:
>>>  Reject: 
>> pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z
>>>  Reason:  No version matching 'require' dependency
>> driver/network/tap can be installed
>>>
>>>Reject: 
>> pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z
>>>Reason:  This version is excluded by installed incorporation
>> consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919
>>>Reject: 
>> pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z
>>> 
>> pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z
>>>Reason:  Package supports image variant
>> variant.opensolaris.zone=[global] but doesn't support this image's
>> variant.opensolaris.zone (nonglobal)
>>>
>>>  Reject: 
>> pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z
>>>  Reason:  No version matching 'require' dependency
>> driver/network/tap can be installed
>>> 
>>> 
>>> Best regards.
>>> Ben
>>> 
>>> - Mail original -
>>> De: "Jim Klimov" <jimkli...@cos.ru>
>>> À: "Discussion list for OpenIndiana"
>> <openindiana-discuss@openindiana.org>, "Andrey Sokolov"
>> <kere...@solaris.kirov.ru>
>>> Envoyé: Vendredi 25 Novembre 2016 07:07:36
>>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
>>> 
>>> 16 но�бр� 2016 г. 14:02:44 CET, Andrey Sokolov
>> <kere...@solaris.kirov.ru> пишет:
>>>> Hi!
>>>> I use
>>> 
>>> http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z
>>>> 
>>>> 2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>:
>>>> 
>>>>> Hi all,
>>>>> 
>>>>> I am faced with a prospect of connecting to a remote network
>> behind
>>>> Cisco
>>>>> IPSec VPN (the one with user, password, group and shared keys;
>> will
>>>> be
>>>>> practically trying sometime soon this week). Should I expect it to
>>>> work in
>>>>> OI Hipster out of the box? Are there docs/blogs on it, or would
>>>> Oracle docs
>>>>> I found so far (some hints about conf files and then ipadm tun
>>>> commands) be
>>>>> relevant here? Or should I try some other OS right away?
>>>>> 
>>>>> TIA, Jim
>>>>> --
>>>>> Typos courtesy of K-9 Mail on my Samsung Android
>>>>> 
>>>>> ___
>>>>> openindiana-discuss mailing list
>>>>

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[Jim Klimov]

25 ноября 2016 г. 8:15:40 CET, Jim Klimov <jimkli...@cos.ru> пишет:
>24 ноября 2016 г. 23:30:06 CET, benta...@chez.com пишет:
>>Ok, I see.
>>If I follow the SFE way, could I have an issue running OpenVPN server
>>over TUN on GZ and wanting to run Openconnect client over TUN in NGZ ?
>>Like the device /dev/tun is both used in GZ and NGZ.
>>
>>Best regards.
>>Ben
>>
>>- Mail original -
>>De: "Thomas Wagner" <tom-oi-disc...@tom.bn-ulm.de>
>>À: "Discussion list for OpenIndiana"
>><openindiana-discuss@openindiana.org>
>>Envoyé: Vendredi 25 Novembre 2016 10:16:51
>>Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
>>
>>For SFE we've solved this by just adding the driver modules to the NGZ
>>as dead files. So there is no install contraint regarding zones-type.
>>That way the IPS dependency just matches in any case.
>>
>>I use a driver match rule in the NGZ to get tun passed through:
>>
>>
>>Thomas
>>
>>On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote:
>>> By the way, is there a way to install openconnect in a zone ?
>>> I can't seem to get it running because tap driver doesn't want to
>>install :
>>> 
>>> vpnzone# pkg install openconnect
>>> Creating Plan (Running solver): |
>>> pkg install: No matching version of network/openconnect can be
>>installed:
>>>   Reject: 
>>pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z
>>>   Reason:  No version matching 'require' dependency
>>driver/network/tap can be installed
>>> 
>>> Reject: 
>>pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z
>>> Reason:  This version is excluded by installed incorporation
>>consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919
>>> Reject: 
>>pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z
>>> 
>>pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z
>>> Reason:  Package supports image variant
>>variant.opensolaris.zone=[global] but doesn't support this image's
>>variant.opensolaris.zone (nonglobal)
>>> 
>>>   Reject: 
>>pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z
>>>   Reason:  No version matching 'require' dependency
>>driver/network/tap can be installed
>>> 
>>> 
>>> Best regards.
>>> Ben
>>> 
>>> - Mail original -
>>> De: "Jim Klimov" <jimkli...@cos.ru>
>>> À: "Discussion list for OpenIndiana"
>><openindiana-discuss@openindiana.org>, "Andrey Sokolov"
>><kere...@solaris.kirov.ru>
>>> Envoyé: Vendredi 25 Novembre 2016 07:07:36
>>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
>>> 
>>> 16 но�бр� 2016 г. 14:02:44 CET, Andrey Sokolov
>><kere...@solaris.kirov.ru> пишет:
>>> >Hi!
>>> >I use
>>>
>>>http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z
>>> >
>>> >2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>:
>>> >
>>> >> Hi all,
>>> >>
>>> >> I am faced with a prospect of connecting to a remote network
>>behind
>>> >Cisco
>>> >> IPSec VPN (the one with user, password, group and shared keys;
>>will
>>> >be
>>> >> practically trying sometime soon this week). Should I expect it
>to
>>> >work in
>>> >> OI Hipster out of the box? Are there docs/blogs on it, or would
>>> >Oracle docs
>>> >> I found so far (some hints about conf files and then ipadm tun
>>> >commands) be
>>> >> relevant here? Or should I try some other OS right away?
>>> >>
>>> >> TIA, Jim
>>> >> --
>>> >> Typos courtesy of K-9 Mail on my Samsung Android
>>> >>
>>> >> ___
>>> >> openindiana-discuss mailing list
>>> >> openindiana-discuss@openindiana.org
>>> >> https://openindiana.org/mailman/listinfo/openindiana-discuss
>>> >>
>>> >___
>>> >openindiana-discuss mailing list
>>> &

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[Thomas Wagner]

I'm sure the tun pseudo interface "tun" can take multiple
clients using it at the same time.
I see that "tun" interface as an interface which can send
and recive packets through an API which is convenient to
e.g. openconnect, openvpn and so on.

Actual packages leave and enter the system through the regular
interaces of the global zone. This is the same as if a shared
or an exclusive interface would be used with a NGZ. Only exception
I can see is, if you assign an exclusive interface to a NGZ;
then this interface is out of reach for the tun interface.
But this would need an investigation to be sure.
And it would not change the game, as its the already crypted
stuff going over the wire.

Regards,
Thomas


On Thu, Nov 24, 2016 at 11:30:06PM +0100, benta...@chez.com wrote:
> Ok, I see.
> If I follow the SFE way, could I have an issue running OpenVPN server over 
> TUN on GZ and wanting to run Openconnect client over TUN in NGZ ? Like the 
> device /dev/tun is both used in GZ and NGZ.
> 
> Best regards.
> Ben
> 
> - Mail original -
> De: "Thomas Wagner" <tom-oi-disc...@tom.bn-ulm.de>
> À: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org>
> Envoyé: Vendredi 25 Novembre 2016 10:16:51
> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
> 
> For SFE we've solved this by just adding the driver modules to the NGZ
> as dead files. So there is no install contraint regarding zones-type.
> That way the IPS dependency just matches in any case.
> 
> I use a driver match rule in the NGZ to get tun passed through:
> 
> 
> Thomas
> 
> On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote:
> > By the way, is there a way to install openconnect in a zone ?
> > I can't seem to get it running because tap driver doesn't want to install :
> > 
> > vpnzone# pkg install openconnect
> > Creating Plan (Running solver): |
> > pkg install: No matching version of network/openconnect can be installed:
> >   Reject:  
> > pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z
> >   Reason:  No version matching 'require' dependency driver/network/tap can 
> > be installed
> > 
> > Reject:  
> > pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z
> > Reason:  This version is excluded by installed incorporation 
> > consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919
> > Reject:  
> > pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z
> >  
> > pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z
> > Reason:  Package supports image variant 
> > variant.opensolaris.zone=[global] but doesn't support this image's 
> > variant.opensolaris.zone (nonglobal)
> > 
> >   Reject:  
> > pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z
> >   Reason:  No version matching 'require' dependency driver/network/tap can 
> > be installed
> > 
> > 
> > Best regards.
> > Ben
> > 
> > - Mail original -
> > De: "Jim Klimov" <jimkli...@cos.ru>
> > À: "Discussion list for OpenIndiana" 
> > <openindiana-discuss@openindiana.org>, "Andrey Sokolov" 
> > <kere...@solaris.kirov.ru>
> > Envoyé: Vendredi 25 Novembre 2016 07:07:36
> > Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
> > 
> > 16 но�бр� 2016 г. 14:02:44 CET, Andrey Sokolov 
> > <kere...@solaris.kirov.ru> пишет:
> > >Hi!
> > >I use
> > >http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z
> > >
> > >2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>:
> > >
> > >> Hi all,
> > >>
> > >> I am faced with a prospect of connecting to a remote network behind
> > >Cisco
> > >> IPSec VPN (the one with user, password, group and shared keys; will
> > >be
> > >> practically trying sometime soon this week). Should I expect it to
> > >work in
> > >> OI Hipster out of the box? Are there docs/blogs on it, or would
> > >Oracle docs
> > >> I found so far (some hints about conf files and then ipadm tun
> > >commands) be
> > >> relevant here? Or should I try some other OS right away?
> > >>
> > >> TIA, Jim
> > >> --
> > >> Typos courtesy of K-9 Mai

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[bentahyr]

Ok, I see.
If I follow the SFE way, could I have an issue running OpenVPN server over TUN 
on GZ and wanting to run Openconnect client over TUN in NGZ ? Like the device 
/dev/tun is both used in GZ and NGZ.

Best regards.
Ben

- Mail original -
De: "Thomas Wagner" <tom-oi-disc...@tom.bn-ulm.de>
À: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org>
Envoyé: Vendredi 25 Novembre 2016 10:16:51
Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN

For SFE we've solved this by just adding the driver modules to the NGZ
as dead files. So there is no install contraint regarding zones-type.
That way the IPS dependency just matches in any case.

I use a driver match rule in the NGZ to get tun passed through:


Thomas

On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote:
> By the way, is there a way to install openconnect in a zone ?
> I can't seem to get it running because tap driver doesn't want to install :
> 
> vpnzone# pkg install openconnect
> Creating Plan (Running solver): |
> pkg install: No matching version of network/openconnect can be installed:
>   Reject:  
> pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z
>   Reason:  No version matching 'require' dependency driver/network/tap can be 
> installed
> 
> Reject:  
> pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z
> Reason:  This version is excluded by installed incorporation 
> consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919
> Reject:  
> pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z
>  
> pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z
> Reason:  Package supports image variant variant.opensolaris.zone=[global] 
> but doesn't support this image's variant.opensolaris.zone (nonglobal)
> 
>   Reject:  
> pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z
>   Reason:  No version matching 'require' dependency driver/network/tap can be 
> installed
> 
> 
> Best regards.
> Ben
> 
> - Mail original -
> De: "Jim Klimov" <jimkli...@cos.ru>
> À: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org>, 
> "Andrey Sokolov" <kere...@solaris.kirov.ru>
> Envoyé: Vendredi 25 Novembre 2016 07:07:36
> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
> 
> 16 но�бр� 2016 г. 14:02:44 CET, Andrey Sokolov 
> <kere...@solaris.kirov.ru> пишет:
> >Hi!
> >I use
> >http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z
> >
> >2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>:
> >
> >> Hi all,
> >>
> >> I am faced with a prospect of connecting to a remote network behind
> >Cisco
> >> IPSec VPN (the one with user, password, group and shared keys; will
> >be
> >> practically trying sometime soon this week). Should I expect it to
> >work in
> >> OI Hipster out of the box? Are there docs/blogs on it, or would
> >Oracle docs
> >> I found so far (some hints about conf files and then ipadm tun
> >commands) be
> >> relevant here? Or should I try some other OS right away?
> >>
> >> TIA, Jim
> >> --
> >> Typos courtesy of K-9 Mail on my Samsung Android
> >>
> >> ___
> >> openindiana-discuss mailing list
> >> openindiana-discuss@openindiana.org
> >> https://openindiana.org/mailman/listinfo/openindiana-discuss
> >>
> >___
> >openindiana-discuss mailing list
> >openindiana-discuss@openindiana.org
> >https://openindiana.org/mailman/listinfo/openindiana-discuss
> 
> Thanks,
> 
> In the end vpnc did work for me; also I saw that openconnect could connect to 
> Juniper/Cisco SSL VPNs... so I couldn't resist and now both are packaged in 
> OI/Hipster userland ;)
> 
> Thanks,
> Jim
> --
> Typos courtesy of K-9 Mail on my Samsung Android
> 
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
> 
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
> 

-- 
-- 
Thomas Wagner

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[Thomas Wagner]

For SFE we've solved this by just adding the driver modules to the NGZ
as dead files. So there is no install contraint regarding zones-type.
That way the IPS dependency just matches in any case.

I use a driver match rule in the NGZ to get tun passed through:


Thomas

On Thu, Nov 24, 2016 at 09:15:11PM +0100, benta...@chez.com wrote:
> By the way, is there a way to install openconnect in a zone ?
> I can't seem to get it running because tap driver doesn't want to install :
> 
> vpnzone# pkg install openconnect
> Creating Plan (Running solver): |
> pkg install: No matching version of network/openconnect can be installed:
>   Reject:  
> pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z
>   Reason:  No version matching 'require' dependency driver/network/tap can be 
> installed
> 
> Reject:  
> pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z
> Reason:  This version is excluded by installed incorporation 
> consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919
> Reject:  
> pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z
>  
> pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z
> Reason:  Package supports image variant variant.opensolaris.zone=[global] 
> but doesn't support this image's variant.opensolaris.zone (nonglobal)
> 
>   Reject:  
> pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z
>   Reason:  No version matching 'require' dependency driver/network/tap can be 
> installed
> 
> 
> Best regards.
> Ben
> 
> - Mail original -
> De: "Jim Klimov" <jimkli...@cos.ru>
> À: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org>, 
> "Andrey Sokolov" <kere...@solaris.kirov.ru>
> Envoyé: Vendredi 25 Novembre 2016 07:07:36
> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
> 
> 16 ноября 2016 г. 14:02:44 CET, Andrey Sokolov 
> <kere...@solaris.kirov.ru> пишет:
> >Hi!
> >I use
> >http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z
> >
> >2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>:
> >
> >> Hi all,
> >>
> >> I am faced with a prospect of connecting to a remote network behind
> >Cisco
> >> IPSec VPN (the one with user, password, group and shared keys; will
> >be
> >> practically trying sometime soon this week). Should I expect it to
> >work in
> >> OI Hipster out of the box? Are there docs/blogs on it, or would
> >Oracle docs
> >> I found so far (some hints about conf files and then ipadm tun
> >commands) be
> >> relevant here? Or should I try some other OS right away?
> >>
> >> TIA, Jim
> >> --
> >> Typos courtesy of K-9 Mail on my Samsung Android
> >>
> >> ___
> >> openindiana-discuss mailing list
> >> openindiana-discuss@openindiana.org
> >> https://openindiana.org/mailman/listinfo/openindiana-discuss
> >>
> >___
> >openindiana-discuss mailing list
> >openindiana-discuss@openindiana.org
> >https://openindiana.org/mailman/listinfo/openindiana-discuss
> 
> Thanks,
> 
> In the end vpnc did work for me; also I saw that openconnect could connect to 
> Juniper/Cisco SSL VPNs... so I couldn't resist and now both are packaged in 
> OI/Hipster userland ;)
> 
> Thanks,
> Jim
> --
> Typos courtesy of K-9 Mail on my Samsung Android
> 
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
> 
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
> 

-- 
-- 
Thomas Wagner


Service rund um UNIX(TM), Wagner Network Services, Thomas Wagner
Solaris(TM), Linux(TM)Eschenweg 21, 89174 Altheim, Germany
Windows(TM)   TEL: +49-731-9807799, FAX: +49-731-9807711
Telekommunikation, LAN,   MOBILE/CELL: +49-171-6135989
Internet-Service, Elektronik  EMAIL: wag...@wagner-net.com

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[bentahyr]

By the way, is there a way to install openconnect in a zone ?
I can't seem to get it running because tap driver doesn't want to install :

vpnzone# pkg install openconnect
Creating Plan (Running solver): |
pkg install: No matching version of network/openconnect can be installed:
  Reject:  
pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z
  Reason:  No version matching 'require' dependency driver/network/tap can be 
installed

Reject:  
pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z
Reason:  This version is excluded by installed incorporation 
consolidation/userland/userland-incorporation@0.5.11-2016.1.0.7919
Reject:  
pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z
 
pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z
Reason:  Package supports image variant variant.opensolaris.zone=[global] 
but doesn't support this image's variant.opensolaris.zone (nonglobal)

  Reject:  
pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z
  Reason:  No version matching 'require' dependency driver/network/tap can be 
installed


Best regards.
Ben

- Mail original -
De: "Jim Klimov" <jimkli...@cos.ru>
À: "Discussion list for OpenIndiana" <openindiana-discuss@openindiana.org>, 
"Andrey Sokolov" <kere...@solaris.kirov.ru>
Envoyé: Vendredi 25 Novembre 2016 07:07:36
Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN

16 ноября 2016 г. 14:02:44 CET, Andrey Sokolov <kere...@solaris.kirov.ru> пишет:
>Hi!
>I use
>http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z
>
>2016-11-14 15:35 GMT+03:00 Jim Klimov <jimkli...@cos.ru>:
>
>> Hi all,
>>
>> I am faced with a prospect of connecting to a remote network behind
>Cisco
>> IPSec VPN (the one with user, password, group and shared keys; will
>be
>> practically trying sometime soon this week). Should I expect it to
>work in
>> OI Hipster out of the box? Are there docs/blogs on it, or would
>Oracle docs
>> I found so far (some hints about conf files and then ipadm tun
>commands) be
>> relevant here? Or should I try some other OS right away?
>>
>> TIA, Jim
>> --
>> Typos courtesy of K-9 Mail on my Samsung Android
>>
>> ___
>> openindiana-discuss mailing list
>> openindiana-discuss@openindiana.org
>> https://openindiana.org/mailman/listinfo/openindiana-discuss
>>
>___
>openindiana-discuss mailing list
>openindiana-discuss@openindiana.org
>https://openindiana.org/mailman/listinfo/openindiana-discuss

Thanks,

In the end vpnc did work for me; also I saw that openconnect could connect to 
Juniper/Cisco SSL VPNs... so I couldn't resist and now both are packaged in 
OI/Hipster userland ;)

Thanks,
Jim
--
Typos courtesy of K-9 Mail on my Samsung Android

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[Aurélien Larcher]

À jeu. nov. 24 19:07:36 2016 GMT+0100, Jim Klimov a écrit :
> 16 ноября 2016 г. 14:02:44 CET, Andrey Sokolov  
> пишет:
> >Hi!
> >I use
> >http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z
> >
> >2016-11-14 15:35 GMT+03:00 Jim Klimov :
> >
> >> Hi all,
> >>
> >> I am faced with a prospect of connecting to a remote network behind
> >Cisco
> >> IPSec VPN (the one with user, password, group and shared keys; will
> >be
> >> practically trying sometime soon this week). Should I expect it to
> >work in
> >> OI Hipster out of the box? Are there docs/blogs on it, or would
> >Oracle docs
> >> I found so far (some hints about conf files and then ipadm tun
> >commands) be
> >> relevant here? Or should I try some other OS right away?
> >>
> >> TIA, Jim
> >> --
> >> Typos courtesy of K-9 Mail on my Samsung Android
> >>
> >> ___
> >> openindiana-discuss mailing list
> >> openindiana-discuss@openindiana.org
> >> https://openindiana.org/mailman/listinfo/openindiana-discuss
> >>
> >___
> >openindiana-discuss mailing list
> >openindiana-discuss@openindiana.org
> >https://openindiana.org/mailman/listinfo/openindiana-discuss
> 
> Thanks,
> 
> In the end vpnc did work for me; also I saw that openconnect could connect to 
> Juniper/Cisco SSL VPNs... so I couldn't resist and now both are packaged in 
> OI/Hipster userland ;)

\o/

> 
> Thanks,
> Jim
> --
> Typos courtesy of K-9 Mail on my Samsung Android
> 
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>

-- 
Thanks for sailing Jolla :)
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[Jim Klimov]

16 ноября 2016 г. 14:02:44 CET, Andrey Sokolov  пишет:
>Hi!
>I use
>http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z
>
>2016-11-14 15:35 GMT+03:00 Jim Klimov :
>
>> Hi all,
>>
>> I am faced with a prospect of connecting to a remote network behind
>Cisco
>> IPSec VPN (the one with user, password, group and shared keys; will
>be
>> practically trying sometime soon this week). Should I expect it to
>work in
>> OI Hipster out of the box? Are there docs/blogs on it, or would
>Oracle docs
>> I found so far (some hints about conf files and then ipadm tun
>commands) be
>> relevant here? Or should I try some other OS right away?
>>
>> TIA, Jim
>> --
>> Typos courtesy of K-9 Mail on my Samsung Android
>>
>> ___
>> openindiana-discuss mailing list
>> openindiana-discuss@openindiana.org
>> https://openindiana.org/mailman/listinfo/openindiana-discuss
>>
>___
>openindiana-discuss mailing list
>openindiana-discuss@openindiana.org
>https://openindiana.org/mailman/listinfo/openindiana-discuss

Thanks,

In the end vpnc did work for me; also I saw that openconnect could connect to 
Juniper/Cisco SSL VPNs... so I couldn't resist and now both are packaged in 
OI/Hipster userland ;)

Thanks,
Jim
--
Typos courtesy of K-9 Mail on my Samsung Android

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[Thomas Wagner]

Please note, that pkg.openindiana.org/sfe doesn't get updats since years.
We just procastinate a full deprecation. So this means, if someone wants
to take that over, then get in contact.

But there is no strong need for this, as the party is now
 athttp://sfe.opencsw.org 

An automatic build system updates the packages and (usually) there are
much more uptodate versions. It contains LibreOffice4 as well.

The source for the build recipes is the same, "spec-files-extra".

About VPN, I'm using openconnect (and openvpn) on a daily basis.

If you need an updated version of vpnc, then please drop me a note.

Regards,
Thomas



On Wed, Nov 16, 2016 at 04:02:44PM +0300, Andrey Sokolov wrote:
> Hi!
> I use
> http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z
> 
> 2016-11-14 15:35 GMT+03:00 Jim Klimov :
> 
> > Hi all,
> >
> > I am faced with a prospect of connecting to a remote network behind Cisco
> > IPSec VPN (the one with user, password, group and shared keys; will be
> > practically trying sometime soon this week). Should I expect it to work in
> > OI Hipster out of the box? Are there docs/blogs on it, or would Oracle docs
> > I found so far (some hints about conf files and then ipadm tun commands) be
> > relevant here? Or should I try some other OS right away?

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[Andrey Sokolov]

Hi!
I use
http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z

2016-11-14 15:35 GMT+03:00 Jim Klimov :

> Hi all,
>
> I am faced with a prospect of connecting to a remote network behind Cisco
> IPSec VPN (the one with user, password, group and shared keys; will be
> practically trying sometime soon this week). Should I expect it to work in
> OI Hipster out of the box? Are there docs/blogs on it, or would Oracle docs
> I found so far (some hints about conf files and then ipadm tun commands) be
> relevant here? Or should I try some other OS right away?
>
> TIA, Jim
> --
> Typos courtesy of K-9 Mail on my Samsung Android
>
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[Jim Klimov]

14 ноября 2016 г. 14:32:31 CET, the outsider <openindi...@out-side.nl> пишет:
>Not a single problem. 
>
>I am using it 24/7 in the same setup. 
>Just put your OI server in the network and set the gateway to the cisco
>VPN
>device.. 
>
>-Oorspronkelijk bericht-
>Van: Jim Klimov [mailto:jimkli...@cos.ru] 
>Verzonden: maandag 14 november 2016 13:35
>Aan: OI-Discuss <openindiana-discuss@openindiana.org>
>Onderwerp: [OpenIndiana-discuss] Cisco IPSec VPN
>
>Hi all,
>
>I am faced with a prospect of connecting to a remote network behind
>Cisco
>IPSec VPN (the one with user, password, group and shared keys; will be
>practically trying sometime soon this week). Should I expect it to work
>in
>OI Hipster out of the box? Are there docs/blogs on it, or would Oracle
>docs
>I found so far (some hints about conf files and then ipadm tun
>commands) be
>relevant here? Or should I try some other OS right away?
>
>TIA, Jim
>--
>Typos courtesy of K-9 Mail on my Samsung Android
>
>___
>openindiana-discuss mailing list
>openindiana-discuss@openindiana.org
>https://openindiana.org/mailman/listinfo/openindiana-discuss
>
>
>___
>openindiana-discuss mailing list
>openindiana-discuss@openindiana.org
>https://openindiana.org/mailman/listinfo/openindiana-discuss

I'm on the other side, if I get your setup correctly - working as an (OI 
hopefully) client connnecting to servers behind the cisco.
--
Typos courtesy of K-9 Mail on my Samsung Android

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[Jonathan Adams]

Unfortunately I had to resort to "StrongSwan", which meant Linux or BSD ...
It''s a good product though and was very easy to configure.

Jon

On 14 November 2016 at 13:32, the outsider <openindi...@out-side.nl> wrote:

> Not a single problem.
>
> I am using it 24/7 in the same setup.
> Just put your OI server in the network and set the gateway to the cisco VPN
> device..
>
> -Oorspronkelijk bericht-
> Van: Jim Klimov [mailto:jimkli...@cos.ru]
> Verzonden: maandag 14 november 2016 13:35
> Aan: OI-Discuss <openindiana-discuss@openindiana.org>
> Onderwerp: [OpenIndiana-discuss] Cisco IPSec VPN
>
> Hi all,
>
> I am faced with a prospect of connecting to a remote network behind Cisco
> IPSec VPN (the one with user, password, group and shared keys; will be
> practically trying sometime soon this week). Should I expect it to work in
> OI Hipster out of the box? Are there docs/blogs on it, or would Oracle docs
> I found so far (some hints about conf files and then ipadm tun commands) be
> relevant here? Or should I try some other OS right away?
>
> TIA, Jim
> --
> Typos courtesy of K-9 Mail on my Samsung Android
>
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>
>
> ___
> openindiana-discuss mailing list
> openindiana-discuss@openindiana.org
> https://openindiana.org/mailman/listinfo/openindiana-discuss
>
___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

Re: [OpenIndiana-discuss] Cisco IPSec VPN

[the outsider]

Not a single problem. 

I am using it 24/7 in the same setup. 
Just put your OI server in the network and set the gateway to the cisco VPN
device.. 

-Oorspronkelijk bericht-
Van: Jim Klimov [mailto:jimkli...@cos.ru] 
Verzonden: maandag 14 november 2016 13:35
Aan: OI-Discuss <openindiana-discuss@openindiana.org>
Onderwerp: [OpenIndiana-discuss] Cisco IPSec VPN

Hi all,

I am faced with a prospect of connecting to a remote network behind Cisco
IPSec VPN (the one with user, password, group and shared keys; will be
practically trying sometime soon this week). Should I expect it to work in
OI Hipster out of the box? Are there docs/blogs on it, or would Oracle docs
I found so far (some hints about conf files and then ipadm tun commands) be
relevant here? Or should I try some other OS right away?

TIA, Jim
--
Typos courtesy of K-9 Mail on my Samsung Android

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss


___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss

[OpenIndiana-discuss] Cisco IPSec VPN

[Jim Klimov]

Hi all,

I am faced with a prospect of connecting to a remote network behind Cisco IPSec 
VPN (the one with user, password, group and shared keys; will be practically 
trying sometime soon this week). Should I expect it to work in OI Hipster out 
of the box? Are there docs/blogs on it, or would Oracle docs I found so far 
(some hints about conf files and then ipadm tun commands) be relevant here? Or 
should I try some other OS right away?

TIA, Jim
--
Typos courtesy of K-9 Mail on my Samsung Android

___
openindiana-discuss mailing list
openindiana-discuss@openindiana.org
https://openindiana.org/mailman/listinfo/openindiana-discuss