0 Replies Latest reply on Dec 30, 2016 5:26 PM by 1646161

    Assistance with Solaris 10 routing with VPN


      I have read the How to Protect a VPN With an IPsec Tunnel in Tunnel Mode Over IPv4 (http://docs.oracle.com/cd/E19253-01/816-4554/6maoq02fv/index.html#ipsec-mgtasks-rt-2) to build a vpn tunnel from a Solaris10 host to a Juniper srx. 


      The network will consist of a Solaris10 acting as a VPN gateway.  It's trust interface needs to forward packets to five other other hosts on the subnet from an application that sits behind a Juniper srx gateway.  The Solaris10 host has an untrust interface to the srx interface.  I can get the VPN up between the Solaris10 & srx gateways.  But i cant seem to get any packets to route through the tunnel.


      Local Trust subnet IP:

      Local Trust Solaris Int: vnet4

      Local Trust Solaris IP:

      Local Untrust Solaris subnet IP:

      Local Untrust Solaris Int: vnet2

      Local Untrust Solaris IP:

      Local Untrust Solaris Next Hop IP:

      Remote Untrust SRX IP:

      Remote Trust App IP:


      The five application hosts on the local trust subnet have a route -p add statement

      # netstat -r  UGH       1          6


      Here is my config on the Solaris VPN host:


      # LAN traffic can bypass IPSec

      {laddr dir both} bypass {}

      # WAN traffic uses ESP with AES and SHA-1

      {tunnel ip.tun0 negotiate tunnel}

      ipsec {encr_algs aes encr_auth_algs sha1 sa shared}


      /etc/hostname.ip.tun0 tsrc tdst router up


      netstat -r

      Routing Table: IPv4

        Destination           Gateway           Flags  Ref     Use     Interface

      -------------------- -------------------- ----- ----- ---------- ---------

      default             UG        1          5                UGH       1          3                6220cc04-ing  U         1          1 vnet4          6220cc04-egr  U         1          2 vnet2           6220cc04-ing  UH        1          0 ip.tun0         6220cc04-mgt  U         1          1 vnet0



                     IPv4 routing   enabled              enabled

                  IPv4 forwarding   disabled             disabled


      As you can see from the Juniper, the IPSEC is established:

      <131074 ESP:aes-cbc-128/sha1 2c8ee5b 2316/ unlim - root 500  

        >131074 ESP:aes-cbc-128/sha1 ec6210e1 2316/ unlim - root 500 


      Here are my physical interface hostname files that allows the VPN to establish:


      6220cc04-egr netmask + broadcast + group egress up



      6220cc04-ing netmask + broadcast + group ingress up


      # ping is alive

      # ping is alive

      # ping



      In the How To doc steps 10 & 11, it specifies to add router to my /hostname.vnet4 private to my /hostname.vnet2


      When i do this, it breaks everything. I cant ping any other hosts on my inside trust interface, nor the untrust next hop gateway.  The VPN then dies with timeout error because no packets are reaching the srx.


      Any thoughts of where i have things wrong?  This seems like it would be a relatively easy config, but it has me stumped.