Site-to-Site VPN Using Solaris 9

From: Crist Clark (crist.clark@globalstar.com)
Date: Wed Dec 28 2005 - 17:06:44 EST


I am trying to set up a site-to-site VPN between a Solaris host and a
Cisco VPN Concentrator 3000. The desire is for the Solaris endpoint to
be able to talk to several hosts "behind" the concentrator at the other
end. I thought setting up a quick IPsec tunnel between these two would
be a snap, given a little interactive tweaking to get proposals to all
agree, etc., but Solaris is frustrating me.

I am familiar with implementing VPNs in several other environments,
and the big problem I'm having with Solaris is how to establish the
policy. I understand how to set up the ipsecinit file for ipsecconf(1M),
but that only seems to be used for transport layer IPsec? For a tunnel,
you need to set up a ip.tun device, see ifconfig(1M), and you specify
what goes through the tunnel with routing, not with specifying IPsec
policy. At least that's how I understand things...

So, this problem shows up when the two endpoints start Phase 2 of
ISAKMP negotiations (yay! I got it to go past Phase 1 successfully!).
The Solaris endpoint just specifies 0.0.0.0/0 as the network for the
SA we're trying to set up, and the concentrator end quite correctly
won't have anything to do with that. It expects to only set up SAs for
networks it knows about and the Solaris host is allowed to tunnel to.

I haven't been able to find any documents about setting up a IPsec
tunnel with Solaris 9 to a Cisco VPN Concentrator or for anything else
but another Solaris system. The one document I did find at Sun's website
is Solaris-to-Solaris and glosses over all of these problems by having
the two endpoints pretty much trust each other completely.

Anyone know of any "How Tos" for setting up Solaris 9 IPsec tunnels
to other OSes? Can anyone offer help with my specfic problem (getting
Solaris to use the right networks in Phase 2 negotiations)? Note that
I am deliberately just using vanilla Solaris 9. There's no way I'm
going to be putting SunScreen on this box. Also, the Cisco VPN Client
for Solaris won't run on this box due to a known bug, Sun Bug ID 5066781.

-- 
Crist J. Clark                               crist.clark@globalstar.com
Globalstar Communications                                (408) 933-4387
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers


This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:38:10 EDT