0 Replies Latest reply on Dec 30, 2016 5:26 PM by 1646161

    Assistance with Solaris 10 routing with VPN

    1646161

      I have read the How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4 (http://docs.oracle.com/cd/E19253-01/816-4554/6maoq02fv/index.html#ipsec-mgtasks-rt-2) to build a vpn tunnel from a Solaris10 host to a Juniper srx. 

       

      The network will consist of a Solaris10 acting as a VPN gateway.  It's trust interface needs to forward packets to five other other hosts on the subnet from an application that sits behind a Juniper srx gateway.  The Solaris10 host has an untrust interface to the srx interface.  I can get the VPN up between the Solaris10 & srx gateways.  But i cant seem to get any packets to route through the tunnel.

       

      Local Trust subnet IP: 10.30.194.192/27

      Local Trust Solaris Int: vnet4

      Local Trust Solaris IP: 10.30.194.197

      Local Untrust Solaris subnet IP: 10.30.195.192/26

      Local Untrust Solaris Int: vnet2

      Local Untrust Solaris IP: 10.30.195.197

      Local Untrust Solaris Next Hop IP: 10.30.195.193

      Remote Untrust SRX IP: 10.30.146.124

      Remote Trust App IP: 10.30.220.70

       

      The five application hosts on the local trust subnet have a route -p add 10.30.220.70/32 10.30.194.197 statement

      # netstat -r

      10.30.220.70         10.30.194.197  UGH       1          6

       

      Here is my config on the Solaris VPN host:

      ipsecinit.conf

      # LAN traffic can bypass IPSec

      {laddr 10.30.194.197 dir both} bypass {}

      # WAN traffic uses ESP with AES and SHA-1

      {tunnel ip.tun0 negotiate tunnel}

      ipsec {encr_algs aes encr_auth_algs sha1 sa shared}

       

      /etc/hostname.ip.tun0

      10.30.194.197 10.30.220.70 tsrc 10.30.195.197 tdst 10.30.146.124 router up

       

      netstat -r

      Routing Table: IPv4

        Destination           Gateway           Flags  Ref     Use     Interface

      -------------------- -------------------- ----- ----- ---------- ---------

      default              10.31.62.129         UG        1          5          

      10.30.146.124        10.30.195.193        UGH       1          3          

      10.30.194.192        6220cc04-ing  U         1          1 vnet4    

      10.30.195.192        6220cc04-egr  U         1          2 vnet2    

      10.30.220.70         6220cc04-ing  UH        1          0 ip.tun0  

      10.31.62.128         6220cc04-mgt  U         1          1 vnet0

       

      routeadm

                     IPv4 routing   enabled              enabled

                  IPv4 forwarding   disabled             disabled

       

      As you can see from the Juniper, the IPSEC is established:

      <131074 ESP:aes-cbc-128/sha1 2c8ee5b 2316/ unlim - root 500 10.30.195.197  

        >131074 ESP:aes-cbc-128/sha1 ec6210e1 2316/ unlim - root 500 10.30.195.197 

       

      Here are my physical interface hostname files that allows the VPN to establish:

      /etc/hostname.vnet2

      6220cc04-egr netmask + broadcast + group egress up

       

      /etc/hostname.vnet4

      6220cc04-ing netmask + broadcast + group ingress up

       

      # ping 10.30.194.198

      10.30.194.198 is alive

      # ping 10.30.146.124

      10.30.146.124 is alive

      # ping 10.30.220.70

      ^C#

       

      In the How To doc steps 10 & 11, it specifies to add

      10.30.194.197 router to my /hostname.vnet4

      10.30.195.197 private to my /hostname.vnet2

       

      When i do this, it breaks everything. I cant ping any other hosts on my inside trust interface, nor the untrust next hop gateway.  The VPN then dies with timeout error because no packets are reaching the srx.

       

      Any thoughts of where i have things wrong?  This seems like it would be a relatively easy config, but it has me stumped.