[OpenIndiana-discuss] Cisco IPSec VPN

Jim Klimov jimklimov at cos.ru
Fri Nov 25 15:01:53 UTC 2016 

25 ноября 2016 г. 8:15:40 CET, Jim Klimov <jimklimov at cos.ru> пишет:
>24 ноября 2016 г. 23:30:06 CET, bentahyr at chez.com пишет:
>>Ok, I see.
>>If I follow the SFE way, could I have an issue running OpenVPN server
>>over TUN on GZ and wanting to run Openconnect client over TUN in NGZ ?
>>Like the device /dev/tun is both used in GZ and NGZ.
>>
>>Best regards.
>>Ben
>>
>>----- Mail original -----
>>De: "Thomas Wagner" <tom-oi-discuss at tom.bn-ulm.de>
>>À: "Discussion list for OpenIndiana"
>><openindiana-discuss at openindiana.org>
>>Envoyé: Vendredi 25 Novembre 2016 10:16:51
>>Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
>>
>>For SFE we've solved this by just adding the driver modules to the NGZ
>>as dead files. So there is no install contraint regarding zones-type.
>>That way the IPS dependency just matches in any case.
>>
>>I use a driver match rule in the NGZ to get tun passed through:
>><device match="/dev/tun"/>
>>
>>Thomas
>>
>>On Thu, Nov 24, 2016 at 09:15:11PM +0100, bentahyr at chez.com wrote:
>>> By the way, is there a way to install openconnect in a zone ?
>>> I can't seem to get it running because tap driver doesn't want to
>>install :
>>> 
>>> vpnzone# pkg install openconnect
>>> Creating Plan (Running solver): |
>>> pkg install: No matching version of network/openconnect can be
>>installed:
>>>   Reject: 
>>pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T064832Z
>>>   Reason:  No version matching 'require' dependency
>>driver/network/tap can be installed
>>>     ----------------------------------------
>>>     Reject: 
>>pkg://openindiana.org/driver/network/tap@1.3.2-2016.0.0.0:20160730T021914Z
>>>     Reason:  This version is excluded by installed incorporation
>>consolidation/userland/userland-incorporation at 0.5.11-2016.1.0.7919
>>>     Reject: 
>>pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T055026Z
>>>             
>>pkg://openindiana.org/driver/network/tap@1.3.2-2016.1.0.1:20161124T172113Z
>>>     Reason:  Package supports image variant
>>variant.opensolaris.zone=[global] but doesn't support this image's
>>variant.opensolaris.zone (nonglobal)
>>>     ----------------------------------------
>>>   Reject: 
>>pkg://openindiana.org/network/openconnect@7.7.20161105-2016.1.0.0:20161119T114634Z
>>>   Reason:  No version matching 'require' dependency
>>driver/network/tap can be installed
>>> 
>>> 
>>> Best regards.
>>> Ben
>>> 
>>> ----- Mail original -----
>>> De: "Jim Klimov" <jimklimov at cos.ru>
>>> À: "Discussion list for OpenIndiana"
>><openindiana-discuss at openindiana.org>, "Andrey Sokolov"
>><keremet at solaris.kirov.ru>
>>> Envoyé: Vendredi 25 Novembre 2016 07:07:36
>>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN
>>> 
>>> 16 но�бр� 2016 г. 14:02:44 CET, Andrey Sokolov
>><keremet at solaris.kirov.ru> пишет:
>>> >Hi!
>>> >I use
>>>
>>>http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z
>>> >
>>> >2016-11-14 15:35 GMT+03:00 Jim Klimov <jimklimov at cos.ru>:
>>> >
>>> >> Hi all,
>>> >>
>>> >> I am faced with a prospect of connecting to a remote network
>>behind
>>> >Cisco
>>> >> IPSec VPN (the one with user, password, group and shared keys;
>>will
>>> >be
>>> >> practically trying sometime soon this week). Should I expect it
>to
>>> >work in
>>> >> OI Hipster out of the box? Are there docs/blogs on it, or would
>>> >Oracle docs
>>> >> I found so far (some hints about conf files and then ipadm tun
>>> >commands) be
>>> >> relevant here? Or should I try some other OS right away?
>>> >>
>>> >> TIA, Jim
>>> >> --
>>> >> Typos courtesy of K-9 Mail on my Samsung Android
>>> >>
>>> >> _______________________________________________
>>> >> openindiana-discuss mailing list
>>> >> openindiana-discuss at openindiana.org
>>> >> https://openindiana.org/mailman/listinfo/openindiana-discuss
>>> >>
>>> >_______________________________________________
>>> >openindiana-discuss mailing list
>>> >openindiana-discuss at openindiana.org
>>> >https://openindiana.org/mailman/listinfo/openindiana-discuss
>>> 
>>> Thanks,
>>> 
>>> In the end vpnc did work for me; also I saw that openconnect could
>>connect to Juniper/Cisco SSL VPNs... so I couldn't resist and now both
>>are packaged in OI/Hipster userland ;)
>>> 
>>> Thanks,
>>> Jim
>>> --
>>> Typos courtesy of K-9 Mail on my Samsung Android
>>> 
>>> _______________________________________________
>>> openindiana-discuss mailing list
>>> openindiana-discuss at openindiana.org
>>> https://openindiana.org/mailman/listinfo/openindiana-discuss
>>> 
>>> _______________________________________________
>>> openindiana-discuss mailing list
>>> openindiana-discuss at openindiana.org
>>> https://openindiana.org/mailman/listinfo/openindiana-discuss
>>> 
>>
>>-- 
>>-- 
>>Thomas Wagner
>>
>>------------------------------------------------------------------------
>>Service rund um UNIX(TM),     Wagner Network Services, Thomas Wagner
>>Solaris(TM), Linux(TM)        Eschenweg 21, 89174 Altheim, Germany
>>Windows(TM)                   TEL: +49-731-9807799, FAX:
>>+49-731-9807711
>>Telekommunikation, LAN,       MOBILE/CELL: +49-171-6135989
>>Internet-Service, Elektronik  EMAIL: wagner at wagner-net.com
>>
>>_______________________________________________
>>openindiana-discuss mailing list
>>openindiana-discuss at openindiana.org
>>https://openindiana.org/mailman/listinfo/openindiana-discuss
>>
>>_______________________________________________
>>openindiana-discuss mailing list
>>openindiana-discuss at openindiana.org
>>https://openindiana.org/mailman/listinfo/openindiana-discuss
>
>I think this coexistence should not be a problem - several programs can
>call the tun/tap driver interfaces to spawn and tear down virtual tunX
>or tapY IP interfaces. I don't think it matters from which zone the
>request comes to the driver, although with 'match' it may be that all
>zones will see all such NICs (not sure about IP side). So far I used
>openvpn in either a gz or ngz on a single machine, so do not have
>practice mixing that (would ip stack go crazy or not?).
>
>If you can experiment and find this does not blow up to coexist, please
>write ;) PRs also welcome, but at least info from the trenches would be
>good...
>
>Jim
>--
>Typos courtesy of K-9 Mail on my Samsung Android

FWIW, I posted a PR that vpnc and openconnect shouldnhave same type of dependency on tun/tap drivers as openvpn, so when that lands - hopefully setups in NGZs will become easier. Sorry for the mess ;(

Jim
--
Typos courtesy of K-9 Mail on my Samsung Android

More information about the openindiana-discuss mailing list