| Skip Navigation Links | |
| Exit Print View | |
|
Configuring and Administering Oracle Solaris 11.1 Networks Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Configuring and Administering Oracle Solaris 11.1 Networks Oracle Solaris 11.1 Information Library |
1. Planning the Network Deployment
2. Considerations When Using IPv6 Addresses
3. Configuring an IPv4 Network
4. Enabling IPv6 on the Network
5. Administering a TCP/IP Network
IP Tunnel Administration in Oracle Solaris 11
Tunnels in the Combined IPv6 and IPv4 Network Environments
Packet Flow Through the 6to4 Tunnel
Considerations for Tunnels to a 6to4 Relay Router
Packet Flow Between a 6to4 Site and a Native IPv6 Site
Requirements for Creating Tunnels
Requirements for Tunnels and IP Interfaces
Tunnel Configuration and Administration With the dladm Command
Configuring Tunnels (Task Map)
How to Create and Configure an IP Tunnel
How to Configure a 6to4 Tunnel
How to Configure a 6to4 Tunnel to a 6to4 Relay Router
How to Modify an IP Tunnel Configuration
How to Display an IP Tunnel's Configuration
This section describes procedures that use the dladm command to configure tunnels.
Beginning with this Oracle Solaris release, tunnel administration is now separated from IP interface configuration. The data-link aspect of IP tunnels is now administered with the dladm command. Additionally, IP interface configuration, including the IP tunnel interface, is performed with the ipadm command.
The following subcommands of dladm are used to configure IP tunnels:
create-iptun
modify-iptun
show-iptun
delete-iptun
set-linkprop
For details about the dladm command, refer to the dladm(1M) man page.
Note - IP tunnel administration is closely associated with IPsec configuration. For example, IPsec virtual private networks (VPNs) are one of the primary uses of IP tunneling. For more information about security in Oracle Solaris, see Chapter 6, IP Security Architecture (Overview), in Securing the Network in Oracle Solaris 11.1. To configure IPsec, see Chapter 7, Configuring IPsec (Tasks), in Securing the Network in Oracle Solaris 11.1.
|
# dladm create-iptun [-t] -T type -a [local|remote]=addr,... tunnel-link
The following options or arguments are available for this command:
Creates a temporary tunnel. By default, the command creates a persistent tunnel.
Note - If you want to configure a persistent IP interface over the tunnel, then you must create a persistent tunnel and not use the -t option.
Specifies the type of tunnel you want to create. This argument is required to create all tunnel types.
Specifies literal IP addresses or host names that correspond to the local address and the remote tunnel address. The addresses must be valid and already created in the system. Depending on the type of tunnel, you specify either only one address, or both local and remote addresses. If specifying both local and remote addresses, you must separate the addresses with a comma.
IPv4 tunnels require local and remote IPv4 addresses to function.
IPv6 tunnels require local and remote IPv6 addresses to function.
6to4 tunnels require a local IPv4 address to function.
Note - For persistent IP tunnel data-link configurations, if you are using host names for addresses, these host names are saved in the configuration storage. During a subsequent system boot, if the names resolve to IP addresses that are different from the IP addresses used when the tunnel was created, then the tunnel acquires a new configuration.
Specifies the IP tunnel link. With support for meaningful names in a network-link administration, tunnel names are no longer restricted to the type of tunnel that you are creating. Instead, a tunnel can be assigned any administratively chosen name. Tunnel names consist of a string and the physical point of attachment (PPA) number, for example, mytunnel0. For rules governing the assignment of meaningful names, refer to Rules for Valid Link Names in Introduction to Oracle Solaris 11 Networking.
If you do not specify the tunnel link, then the name is automatically supplied according to the following naming conventions:
For IPv4 tunnels: ip.tun#
For IPv6 tunnels: ip6.tun#
For 6to4 tunnels: ip.6to4tun#
The # is the lowest available PPA number for the tunnel type that you are creating.
# dladm set-linkprop -p [hoplimit=value] [encaplimit=value] tunnel-link
Specifies the hop limit of the tunnel interface for tunneling over IPv6. The hoplimit is the equivalent of the IPv4 time to live (TTL) field for tunneling over IPv4.
Specifies the number of levels of nested tunneling that are allowed for a packet. This option applies only to IPv6 tunnels.
Specifies the number of levels of nested tunneling that are allowed for a packet. This option applies only to IPv6 tunnels.
Note - The values of that you set for hoplimit and encaplimit must remain within acceptable ranges. The hoplimit and encaplimit are tunnel link properties. Thus, these properties are administered by the same dladm subcommands as for other link properties. The subcommands are dladm set-linkprop, dladm reset-linkprop, and dladm show-linkprop. Refer to the dladm(1M) man page for the different subcommands that are used with the dladm command to administer links.
# ipadm create-ip tunnel-interface
where tunnel-interface uses the same name as the tunnel link.
# ipadm create-addr [-t] -a local=address,remote=address interface
Indicates a temporary IP configuration rather than a persistent IP configuration over the tunnel. If you do not use this option, then the IP interface configuration is a persistent configuration.
Specifies the IP addresses of the tunnel interface. Both source and destination IP addresses are required, as represented by local and remote. Local and remote addresses can either be IPv4 or IPv6 addresses.
Specifies the tunnel interface.
For more information about the ipadm command and the different options to configure IP interfaces, including tunnel interfaces, see the ipadm(1M) man page and Connecting Systems Using Fixed Network Configuration in Oracle Solaris 11.1.
# ipadm show-addr interface
Example 6-1 Creating an IPv6 Interface Over an IPv4 Tunnel
This example shows how to create a persistent IPv6 over IPv4 tunnel.
# dladm create-iptun -T ipv4 -a local=63.1.2.3,remote=192.4.5.6 private0 # dladm set-linkprop -p hoplimit=200 private0 # ipadm create-ip private0 # ipadm create-addr -T addrconf private0 # ipadm show-addr private/ ADDROBJ TYPE STATE ADDR private0/v6 static ok fe80::a08:392e/10 --> fe80::8191:9a56
To add alternative addresses, use the same syntax. For example, you can add a global address as follows:
# ipadm create-addr -a local=2001:db8:4728::1, \ remote=2001:db8:4728::2 private0 # ipadm show-addr private0/ ADDROBJ TYPE STATE ADDR private0/v6 addrconf ok fe80::a08:392e/10 --> fe80::8191:9a56 private0/v6a static ok 2001:db8:4728::1 --> 2001:db8:4728::2
Note that the prefix 2001:db8 for the IPv6 address is a special IPv6 prefix that is used specifically for documentation examples.
Example 6-2 Creating an IPv4 Interface Over an IPv4 Tunnel
This example shows how to create a persistent IPv4 over IPv4 tunnel.
# dladm create-iptun -T ipv4 -a local=63.1.2.3,remote=192.4.5.6 vpn0 # ipadm create-ip vpn0 # ipadm create-addr -a local=10.0.0.1,remote=10.0.0.2 vpn0 # ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1 vpn0/v4 static ok 10.0.0.1-->10.0.0.2
You can further configure IPsec policy to provide secure connections for the packets that flow over this tunnel. For information about IPsec configuration, see Chapter 7, Configuring IPsec (Tasks), in Securing the Network in Oracle Solaris 11.1.
Example 6-3 Creating an IPv6 Interface Over an IPv6 Tunnel
This example shows how to create a persistent IPv6 over IPv6 tunnel.
# dladm create-iptun -T ipv6 -a local=2001:db8:feed::1234,remote=2001:db8:beef::4321 \ tun0 # ipadm create-ip tun0 # ipadm create-addr -T addrconf tun0 # ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v6 static ok ::1/128 tun0/v6 addrconf ok 2001:db8:feed::1234 --> 2001:db8:beef::4321
To add addresses such as a global address or alternative local and remote addresses, use the ipadm command as follows:
# ipadm create-addr \ -a local=2001:db8::4728:56bc,remote=2001:db8::1428:57ab tun0 # ipadm show-addr tun0 ADDROBJ TYPE STATE ADDR tun0/v6 addrconf ok 2001:db8:feed::1234 --> 2001:db8:beef::4321 tun0/v6a static ok 2001:db8::4728:56bc --> 2001:db8::1428:57ab
In 6to4 tunnels, a 6to4 router must act as the IPv6 router to the nodes in the network's 6to4 sites. Thus, when configuring a 6to4 router, that router must also be configured as an IPv6 router on its physical interfaces. For more information about IPv6 routing, see IPv6 Routing.
# dladm create-iptun -T 6to4 -a local=address tunnel-link
The following options or arguments are available for this command:
Specifies the tunnel local address, which must already be existing in the system to be a valid address.
Specifies the IP tunnel link. With support for meaningful names in a network-link administration, tunnel names are no longer restricted to the type of tunnel that you are creating. Instead, a tunnel can be assigned any administratively-chosen name. Tunnel names consist of a string and the PPA number, for example, mytunnel0. For rules governing the assignment of meaningful names, refer to Rules for Valid Link Names in Introduction to Oracle Solaris 11 Networking.
# ipadm create-ip tunnel-interface
where tunnel-interface uses the same name as the tunnel link.
if subnet-interface AdvSendAdvertisements 1 IPv6-address subnet-interface
The first line specifies the subnet that receives the advertisement. The subnet-interface refers to the link to which the subnet is connected. The IPv6 address on the second line must have the 6to4 prefix 2000 that is used for IPv6 addresses in 6to4 tunnels.
For detailed information about the ndpd.conf file, refer to the ndpd.conf(4) man page.
# ipadm set-prop -p forwarding=on ipv6
Alternatively, you can issue a sighup to the /etc/inet/in.ndpd daemon to begin sending router advertisements. The IPv6 nodes on each subnet to receive the 6to4 prefix now autoconfigure with new 6to4-derived addresses.
For instructions, go to Configuring Name Service Support for IPv6.
Example 6-4 Creating a 6to4 Tunnel
In this example, the subnet interface is bge0 to which the /etc/inet/ndpd.conf will refer in the appropriate step.
This example shows how to create a 6to4 tunnel. Note that only IPv6 interfaces can be configured over 6to4 tunnels.
# dladm create-iptun -T 6to4 -a local=192.168.35.10 tun0 # ipadm create-ip tun0 # ipadm show-addr ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 net0/v4 static ok 192.168.35.10/24 lo0/v6 static ok ::1/128 tun0/_a static ok 2002:c0a8:57bc::1/64 # ipadm create-addr -a 2002:c0a8:230a::2/16 tun0 # ipadm create-addr -a 2002:c0a8:230a::3/16 tun0 # ipadm show-addr tun0 ADDROBJ TYPE STATE ADDR lo0/v4 static ok 127.0.0.1/8 net0/v4 static ok 192.168.35.10/24 lo0/v6 static ok ::1/128 tun0/_a static ok 2002:c0a8:57bc::1/64 tun0/v6 static ok 2002:c0a8:230a::2/16 tun0/v6a static ok 2002:c0a8:230a::3/16 # vi /etc/inet/ndpd.conf if bge0 AdvSendAdvertisements 1 2002:c0a8:57bc::1/64 bge0 # ipadm set-prop -p forwarding=on ipv6
Note that for 6to4 tunnels, the prefix for the IPv6 address is 2002.
 | Caution - Because of major security issues, by default, 6to4 relay router support is disabled in Oracle Solaris. See Security Issues When Tunneling to a 6to4 Relay Router in Troubleshooting Network Issues. |
Before You Begin
Before you enable a tunnel to a 6to4 relay router, you must have completed the following tasks:
Configured a 6to4 router at your site, as explained in How to Create and Configure an IP Tunnel
Reviewed the security issues that are involved in tunneling to a 6to4 relay router
Enable a tunnel to an anycast 6to4 relay router.
# /usr/sbin/6to4relay -e
The -e option sets up a tunnel between the 6to4 router and an anycast 6to4 relay router. Anycast 6to4 relay routers have the well-known IPv4 address 192.88.99.1. The anycast relay router that is physically nearest to your site becomes the endpoint for the 6to4 tunnel. This relay router then handles packet forwarding between your 6to4 site and a native IPv6 site.
For detailed information about anycast 6to4 relay routers, refer to RFC 3068, "An Anycast Prefix for 6to4 Relay Routers".
Enable a tunnel to a specific 6to4 relay router.
# /usr/sbin/6to4relay -e -a relay-router-address
The -a option indicates that a specific router address is to follow. Replace relay-router-address with the IPv4 address of the specific 6to4 relay router with which you want to enable a tunnel.
The tunnel to the 6to4 relay router remains active until you remove the 6to4 tunnel pseudo-interface.
# /usr/sbin/6to4relay -d
Your site might have a compelling reason to have the tunnel to the 6to4 relay router reinstated each time the 6to4 router reboots. To support this scenario, you must do the following:
The line that you need to modify is at the end of the file.
For the parameter RELAY6TO4ADDR, change the address 192.88.99.1 to the IPv4 address of the 6to4 relay router that you want to use.
Example 6-5 Getting Status Information About 6to4 Relay Router Support
You can use the /usr/bin/6to4relay command to find out whether support for 6to4 relay routers is enabled. The next example shows the output when support for 6to4 relay routers is disabled, as is the default in Oracle Solaris:
# /usr/sbin/6to4relay 6to4relay: 6to4 Relay Router communication support is disabled.
When support for 6to4 relay routers is enabled, you receive the following output:
# /usr/sbin/6to4relay 6to4relay: 6to4 Relay Router communication support is enabled. IPv4 remote address of Relay Router=192.88.99.1
# dladm modify-iptun -a [local|remote]=addr,... tunnel-link
You cannot modify an existing tunnel's type. Thus, the -T type option is not allowed for this command. Only the following tunnel parameters can be modified:
Specifies literal IP addresses or host names that correspond to the local address and the remote tunnel address. Depending on the type of tunnel, you specify either only one address, or both local and remote addresses. If specifying both local and remote addresses, you must separate the addresses with a comma.
IPv4 tunnels require local and remote IPv4 addresses to function.
IPv6 tunnels require local and remote IPv6 addresses to function.
6to4 tunnels require a local IPv4 address to function.
For persistent IP tunnel data-link configurations, if you are using host names for addresses, these host names are saved in the configuration storage. During a subsequent system boot, if the names resolve to IP addresses that are different from the IP addresses used when the tunnel was created, then the tunnel acquires a new configuration.
If you are changing the tunnel's local and remote addresses, ensure that these addresses are consistent with the type of tunnel that you are modifying.
Note - If you want to change the name of the tunnel link, do not use the modify-iptun subcommand. Instead, use dladm rename-link.
# dladm rename-link old-tunnel-link new-tunnel-link
Similarly, do not use the modify-iptun command to change tunnel properties such as the hoplimit or encaplimit. Instead, use the dladm set-linkprop command to set values for these properties.
Example 6-6 Modifying a Tunnel's Address and Properties
This example consists of two procedures. First, the local and remote addresses of the IPv4 tunnel vpn0 are temporarily changed. When the system is later rebooted, the tunnel reverts to using the original addresses. A second procedure changes the hoplimit of vpn0 to 60.
# dladm modify-iptun -t -a local=10.8.48.149,remote=192.1.2.3 vpn0 # dladm set-linkprop -p hoplimit=60 vpn0
# dladm show-iptun [-p] -o fields [tunnel-link]
The following options can be used with the command:
Displays the information in a machine-parseable format. This is argument is optional.
Displays selected fields that provide specific tunnel information.
Specifies the tunnel whose configuration information you want to display. This is argument is optional. If you omit the tunnel name, the command displays the information about all the tunnels on in the system.
Example 6-7 Displaying Information About All Tunnels
In this example, only one tunnel exists on the system.
# dladm show-iptun LINK TYPE FLAGS LOCAL REMOTE tun0 6to4 -- 192.168.35.10 -- vpn0 ipv4 -- 10.8.48.149 192.1.2.3
Example 6-8 Displaying Selected Fields in a Machine-Parseable Format
In this example, only specific fields with tunnel information are displayed.
# dladm show-iptun -p -o link,type,local tun0:6to4:192.168.35.10 vpn0:ipv4:10.8.48.149
# dladm show-linkprop [-c] [-o fields] [tunnel-link]
The following options can be used with the command:
Displays the information in a machine-parseable format. This argument is optional.
Displays selected fields that provide specific information about the link's properties.
Specifies the tunnel whose information about properties you want to display. This argument is optional. If you omit the tunnel name, the command displays the information about all the tunnels on in the system.
Example 6-9 Displaying a Tunnel's Properties
This example shows how to display all of a tunnel's link properties.
# dladm show-linkprop tun0 LINK PROPERTY PERM VALUE DEFAULT POSSIBLE tun0 autopush -- -- -- -- tun0 zone rw -- -- -- tun0 state r- up up up,down tun0 mtu r- 65515 -- 576-65495 tun0 maxbw rw -- -- -- tun0 cpus rw -- -- -- tun0 priority rw high high low,medium,high tun0 hoplimit rw 64 64 1-255
# ipadm delete-ip tunnel-link
Note - To successfully delete a tunnel, no existing IP interface can be plumbed on the tunnel.
# dladm delete-iptun tunnel-link
The only option for this command is -t, which causes the tunnel to be deleted temporarily. When you reboot the system, the tunnel is restored.
Example 6-10 Deleting an IPv6 Tunnel That is Configured With an IPv6 Interface
In this example, a persistent tunnel is permanently deleted.
# ipadm delete-ip ip6.tun0 # dladm delete-iptun ip6.tun0
|