Very Computer

I've successfully configured Point-to-Point connections, but failing
to use this as a tunnel.

Especially, I don't know which values I have to use for the four ip-addresses
on the tunnel interface, and don't know how to set the routing tables to use
this tunnel.

Thanks a lot, Juergen

Quote:>Has anyone a working example for Solaris IPSec tunnels ?

>I've successfully configured Point-to-Point connections, but failing
>to use this as a tunnel.

>Especially, I don't know which values I have to use for the four ip-addresses
>on the tunnel interface, and don't know how to set the routing tables to use
>this tunnel.

        IP (src=outersrc, dst=outerdst)
        ESP
        [ IP (src=innersrc, dst=innerdst)
          TCP + data ]

To configure a tunnel like that, you need:

        ifconfig ip.tun0 plumb innersrc innerdst tsrc outersrc tdst outerdst \
                encr_algs <something> encr_auth_algs <something> up

The tunnel interface itself is topologically inside (or to use Red/Black
terminology, the tunnel is a Black interface).  The tsrc/tdst are reachable
via interfaces on the outside network (or Red interfaces).

To add routes over the tunnel, do this:

        route add <prefix> innerdst

Keep in mind that if you have a default route outside, you cannot add a
default route inside.

I'm typing this note from a machine attached to the Internet that is using
IPsec to tunnel into Sun's internal network.  (We do eat our own dog food
here!)  Graphically, it looks like this:

        <box>
          | le0 (internet)
          +
        INTERNET
          +
          |
          +
         entry point
          +
          |
          +
        Sun's network

I've changed the addresses to protect the innocent, but here's what my
"netstat -r" and "ifconfig -a" look like.  Pretend net 10.0.0.0/8 is the
Internet, and 191.255.0.0/16 is Sun's internal network

# netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref   Use   Interface
-------------------- -------------------- ----- ----- ------ ---------
191.255.104.5        191.255.104.10        UH       1      9  ip.tun0
10.69.33.1           10.5.221.1            UGH      1      5  
10.5.221.0           10.5.221.6            U        1      3  le0
224.0.0.0            191.255.104.10        U        1      0  ip.tun0
default              191.255.104.5         UG       1     14  
127.0.0.1            127.0.0.1             UH       4   6666  lo0

# ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
le0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 10.5.221.6 netmask ffffff00 broadcast 10.5.221.255
        ether 8:0:20:90:51:d1
ip.tun0: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480 index 3
        inet tunnel src 10.5.221.6     tunnel dst 10.69.33.1
        tunnel security settings  esp (3des-cbc/hmac-md5)
        inet 191.255.104.10 --> 191.255.104.5 netmask ffff0000

Notice that the only "red" off-link route is to the entry point
(10.69.33.1).  The default route is sent over the tunnel (to 191.255.104.5).
Combine this with ip_strict_dst_multihoming set to 0 (per ndd(1m) on
/dev/ip), and a strict IPsec policy:

# ipsecconf
#INDEX 1
{} permit {encr_algs 3des encr_auth_algs md5}

#INDEX 2
{} apply {encr_algs 3des encr_auth_algs md5 sa shared}

#INDEX 3
{saddr 129.150.104.10} bypass {dir out}

#INDEX 4
{daddr 129.150.104.10} bypass {dir in}

and I doubt anyone from the outside will be able to break my little
workstation unless they are inside Sun's network already.

I hope this helps.

--
Daniel L. McDonald  -  Solaris Internet Engineering ||  MY OPINIONS ARE NOT

1 Network Drive  Burlington, MA  |"rising falling at force ten
WWW: http://www.kebe.com/~danmcd | we twist the world and ride the wind" - Rush

Quote:>Has anyone a working example for Solaris IPSec tunnels ?

>I've successfully configured Point-to-Point connections, but failing
>to use this as a tunnel.

>Especially, I don't know which values I have to use for the four ip-addresses
>on the tunnel interface, and don't know how to set the routing tables to use
>this tunnel.

        IP (src=outersrc, dst=outerdst)
        ESP
        [ IP (src=innersrc, dst=innerdst)
          TCP + data ]

To configure a tunnel like that, you need:

        ifconfig ip.tun0 plumb innersrc innerdst tsrc outersrc tdst outerdst \
                encr_algs <something> encr_auth_algs <something> up

The tunnel interface itself is topologically inside (or to use Red/Black
terminology, the tunnel is a Black interface).  The tsrc/tdst are reachable
via interfaces on the outside network (or Red interfaces).

To add routes over the tunnel, do this:

        route add <prefix> innerdst

Keep in mind that if you have a default route outside, you cannot add a
default route inside.

I'm typing this note from a machine attached to the Internet that is using
IPsec to tunnel into Sun's internal network.  (We do eat our own dog food
here!)  Graphically, it looks like this:

        <box>
          | le0 (internet)
          +
        INTERNET
          +
          |
          +
         entry point
          +
          |
          +
        Sun's network

I've changed the addresses to protect the innocent, but here's what my
"netstat -r" and "ifconfig -a" look like.  Pretend net 10.0.0.0/8 is the
Internet, and 191.255.0.0/16 is Sun's internal network

# netstat -rn

Routing Table: IPv4
  Destination           Gateway           Flags  Ref   Use   Interface
-------------------- -------------------- ----- ----- ------ ---------
191.255.104.5        191.255.104.10        UH       1      9  ip.tun0
10.69.33.1           10.5.221.1            UGH      1      5  
10.5.221.0           10.5.221.6            U        1      3  le0
224.0.0.0            191.255.104.10        U        1      0  ip.tun0
default              191.255.104.5         UG       1     14  
127.0.0.1            127.0.0.1             UH       4   6666  lo0

# ifconfig -a
lo0: flags=1000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4> mtu 8232 index 1
        inet 127.0.0.1 netmask ff000000
le0: flags=1004843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
        inet 10.5.221.6 netmask ffffff00 broadcast 10.5.221.255
        ether 8:0:20:90:51:d1
ip.tun0: flags=10008d1<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST,IPv4> mtu 1480 index 3
        inet tunnel src 10.5.221.6     tunnel dst 10.69.33.1
        tunnel security settings  esp (3des-cbc/hmac-md5)
        inet 191.255.104.10 --> 191.255.104.5 netmask ffff0000

Notice that the only "red" off-link route is to the entry point
(10.69.33.1).  The default route is sent over the tunnel (to 191.255.104.5).
Combine this with ip_strict_dst_multihoming set to 0 (per ndd(1m) on
/dev/ip), and a strict IPsec policy:

# ipsecconf
#INDEX 1
{} permit {encr_algs 3des encr_auth_algs md5}

#INDEX 2
{} apply {encr_algs 3des encr_auth_algs md5 sa shared}

#INDEX 3
{saddr 191.255.104.10} bypass {dir out}

#INDEX 4
{daddr 191.255.104.10} bypass {dir in}

and I doubt anyone from the outside will be able to break my little
workstation unless they are inside Sun's network already.

I hope this helps.

--
Daniel L. McDonald  -  Solaris Internet Engineering ||  MY OPINIONS ARE NOT

1 Network Drive  Burlington, MA  |"rising falling at force ten
WWW: http://www.kebe.com/~danmcd | we twist the world and ride the wind" - Rush

Any news on IKE for solaris?

-Seth