0 Replies Latest reply: Jun 20, 2012 11:19 AM by 915975 RSS

    Solaris 11 responds to IPSEC VPN traffic ONLY one direction

    915975
      I have established a IPSEC VPN tunnel between my remote solaris 11 and office Sonicwall router using Site to Site. Everything works fine if the traffic initiates from the Solaris side. However when I try to ping or any network services like nfs,ssh, samb, etc. on the remote solaris box from our office. The server does NOT respond to the incoming packets but packets are going through the tunnel and appears on the remote end when I do snoop –d tun0 and snoop –I vnic0. What I do notice is that snoop –d vnic0 shows no packets and it doesn’t seem to get any traffic at all (see netstat –rn). Could it be my routing table? Ip zones? Any ideas? I followed the Oracle Documents very carefully and with extra help from other extern Solaris 11 admin sites. I know people would suggest using OpenSwan or OpenVPN but this setup should work.

      Here is the network info on my IPSEC VPN setup. Tunnel is configured in Transport Mode and IPSEC/IKE is working fine.

      Solaris 11 vnic0/10.4.0.1/24, external Internet Nic is nge0/209.xxx.xxx.194/25

      # dladm show-link
      LINK CLASS MTU STATE OVER
      nge0 phys 1500 up --
      tun0 iptun 1402 up --
      vnic0 vnic 1500 up nge0

      # dladm show-iptun
      LINK TYPE FLAGS LOCAL REMOTE
      tun0 ipv4 s- 209.xxx.xxx.194 64.xxx.xxx.34

      # ipadm show-if
      IFNAME CLASS STATE ACTIVE OVER
      lo0 loopback ok yes --
      nge0 ip ok yes --
      vnic0 ip ok yes --
      tun0 ip ok yes --

      # ipadm show-addr
      ADDROBJ TYPE STATE ADDR
      lo0/v4 static ok 127.0.0.1/8
      nge0/v4 static ok 209.xxx.xxx.194/25
      vnic0/inside static ok 10.4.0.1/24
      tun0/v4 static ok 10.4.0.1->172.20.0.1
      lo0/v6 static ok ::1/128

      # netstat -rn

      Routing Table: IPv4
      Destination Gateway Flags Ref Use Interface
      -------------------- -------------------- ----- ----- ---------- ---------
      default 209.xxx.xxx.129 UG 6 16874898 nge0
      10.4.0.0 10.4.0.1 U 2 0 vnic0
      10.181.0.0 172.20.0.1 UGS 3 16862235 tun0
      127.0.0.1 127.0.0.1 UH 2 1786 lo0
      172.20.0.1 10.4.0.1 UH 3 16862235 tun0

      Routing Table: IPv6
      Destination/Mask Gateway Flags Ref Use If
      --------------------------- --------------------------- ----- --- ------- -----
      ::1 ::1 UH 2 42 lo0


      # routeadm
      Configuration Current Current
      Option Configuration System State
      ---------------------------------------------------------------
      IPv4 routing disabled disabled
      IPv6 routing disabled disabled
      IPv4 forwarding disabled disabled
      IPv6 forwarding disabled disabled

      Routing services "route:default ripng:default"

      Routing daemons:

      STATE FMRI
      disabled svc:/network/routing/ripng:default
      disabled svc:/network/routing/rdisc:default
      disabled svc:/network/routing/route:default
      disabled svc:/network/routing/legacy-routing:ipv4
      disabled svc:/network/routing/legacy-routing:ipv6
      online svc:/network/routing/ndp:default

      Solaris># ping 10.181.1.218
      10.181.1.218 is alive

      C:\>ping 10.4.0.1

      Pinging 10.4.0.1 with 32 bytes of data:
      Request timed out.
      Request timed out.

      # snoop -d tun0 10.181.1.218
      Using device tun0 (promiscuous mode)
      10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 33) (1 encap)
      10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 34) (1 encap)

      # snoop -I vnic0 10.181.1.218
      Using device ipnet/vnic0 (promiscuous mode)
      10.181.1.218-> 10.4.0.1 ICMP Echo request (ID: 1 Sequence number: 36)
      10.181.1.218-> 10.4.0.1 -i ICMP Echo request (ID: 1 Sequence number: 37)

      # ipadm show-prop
      PROTO PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
      ipv4 forwarding rw off off off on,off
      ipv4 ttl rw 255 -- 255 1-255
      ipv6 forwarding rw off -- off on,off
      ipv6 hoplimit rw 255 -- 255 1-255
      ipv6 hostmodel rw weak -- weak strong,
      src-priority,
      weak
      ipv4 hostmodel rw strong strong weak strong,
      src-priority,
      weak
      icmp max_buf rw 262144 -- 262144 65536-1073741824
      icmp recv_buf rw 8192 -- 8192 4096-262144
      icmp send_buf rw 8192 -- 8192 4096-262144
      tcp cong_default rw newreno -- newreno newreno,cubic,
      highspeed,vegas
      tcp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
      highspeed, highspeed, highspeed,vegas
      vegas vegas
      tcp ecn rw passive -- passive never,passive,
      active
      tcp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
      tcp largest_anon_port rw 65535 -- 65535 32768-65535
      tcp max_buf rw 1048576 -- 1048576 128000-1073741824
      tcp recv_buf rw 128000 -- 128000 2048-1048576
      tcp sack rw active -- active never,passive,
      active
      tcp send_buf rw 49152 -- 49152 4096-1048576
      tcp smallest_anon_port rw 32768 -- 32768 1024-65535
      tcp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
      udp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
      udp largest_anon_port rw 65535 -- 65535 32768-65535
      udp max_buf rw 2097152 -- 2097152 65536-1073741824
      udp recv_buf rw 57344 -- 57344 128-2097152
      udp send_buf rw 57344 -- 57344 1024-2097152
      udp smallest_anon_port rw 32768 -- 32768 1024-65535
      udp smallest_nonpriv_port rw 1024 -- 1024 1024-32768
      sctp cong_default rw newreno -- newreno newreno,cubic,
      highspeed,vegas
      sctp cong_enabled rw newreno,cubic, newreno,cubic, newreno newreno,cubic,
      highspeed, highspeed, highspeed,vegas
      vegas vegas
      sctp extra_priv_ports rw 2049,4045 -- 2049,4045 1-65535
      sctp largest_anon_port rw 65535 -- 65535 32768-65535
      sctp max_buf rw 1048576 -- 1048576 102400-1073741824
      sctp recv_buf rw 102400 -- 102400 8192-1048576
      sctp send_buf rw 102400 -- 102400 8192-1048576
      sctp smallest_anon_port rw 32768 -- 32768 1024-65535
      sctp smallest_nonpriv_port rw 1024 -- 1024 1024-32768

      # ipadm show-addrprop
      ADDROBJ PROPERTY PERM CURRENT PERSISTENT DEFAULT POSSIBLE
      lo0/v4 broadcast r- -- -- -- --
      lo0/v4 deprecated rw off -- off on,off
      lo0/v4 prefixlen rw 8 8 8 1-30,32
      lo0/v4 private rw off -- off on,off
      lo0/v4 reqhost r- -- -- -- --
      lo0/v4 transmit rw on -- on on,off
      lo0/v4 zone rw global -- global --
      nge0/v4 broadcast r- 209.xxx.xxx.255 -- 209.xxx.xxx.255 --
      nge0/v4 deprecated rw off -- off on,off
      nge0/v4 prefixlen rw 25 25 24 1-30,32
      nge0/v4 private rw on on off on,off
      nge0/v4 reqhost r- -- -- -- --
      nge0/v4 transmit rw on -- on on,off
      nge0/v4 zone rw global -- global --
      vnic0/inside broadcast r- 10.4.0.255 -- 10.255.255.255 --
      vnic0/inside deprecated rw off -- off on,off
      vnic0/inside prefixlen rw 24 24 8 1-30,32
      vnic0/inside private rw off -- off on,off
      vnic0/inside reqhost r- -- -- -- --
      vnic0/inside transmit rw on -- on on,off
      vnic0/inside zone rw global -- global --
      tun0/v4 broadcast r- -- -- -- --
      tun0/v4 deprecated rw off -- off on,off
      tun0/v4 prefixlen rw -- -- -- --
      tun0/v4 private rw off -- off on,off
      tun0/v4 reqhost r- -- -- -- --
      tun0/v4 transmit rw on -- on on,off
      tun0/v4 zone rw global -- global --

      ipadm show-ifprop

      IFNAME PROPERTY PROTO PERM CURRENT PERSISTENT DEFAULT POSSIBLE
      nge0 arp ipv4 rw on -- on on,off
      nge0 forwarding ipv4 rw off off off on,off
      nge0 metric ipv4 rw 0 -- 0 --
      nge0 mtu ipv4 rw 1500 -- 1500 68-1500
      nge0 exchange_routes ipv4 rw on -- on on,off
      nge0 usesrc ipv4 rw none -- none --
      nge0 forwarding ipv6 rw off -- off on,off
      nge0 metric ipv6 rw 0 -- 0 --
      nge0 mtu ipv6 rw 1500 -- 1500 1280-1500
      nge0 nud ipv6 rw on -- on on,off
      nge0 exchange_routes ipv6 rw on -- on on,off
      nge0 usesrc ipv6 rw none -- none --
      nge0 group ip rw -- -- -- --
      nge0 standby ip rw off -- off on,off
      vnic0 arp ipv4 rw on -- on on,off
      vnic0 forwarding ipv4 rw on on off on,off
      vnic0 metric ipv4 rw 0 -- 0 --
      vnic0 mtu ipv4 rw 1500 -- 1500 68-1500
      vnic0 exchange_routes ipv4 rw on -- on on,off
      vnic0 usesrc ipv4 rw none -- none --
      vnic0 group ip rw -- -- -- --
      vnic0 standby ip rw off -- off on,off
      tun0 arp ipv4 rw off -- on on,off
      tun0 forwarding ipv4 rw on on off on,off
      tun0 metric ipv4 rw 0 -- 0 --
      tun0 mtu ipv4 rw 1402 -- 1402 68-65515
      tun0 exchange_routes ipv4 rw on -- on on,off
      tun0 usesrc ipv4 rw none -- none --
      tun0 group ip rw -- -- -- --
      tun0 standby ip rw off -- off on,off

      Edited by: user1233039 on Jun 20, 2012 9:18 AM