Industry guru Dave Taylor offers free tech support on a wide variety of technical and business topics, including HTML, Apple iPhone, online advertising, Cascading Style Sheets, Web design, management, Unix, Linux, search engine optimization, online dating, Mac OS X, shell script programming and Microsoft Windows.

How do I configure my Solaris VPN network?

I have 5 offices in Texas VPN'd into our Seattle office where we have two Solaris Servers. I can ping the Solaris servers from within our Seattle office; however I cannot from the remote offices. I have checked the VPNs and I can ping any other piece of equipment from the remote sites except the Seattle servers.

When trying to ping a computer at one of the remote sites from the Solaris servers to a computer I get the following reply: " ICMP Communication Administratively Prohibited from gateway".

I'm questioning the ip configuration of our Solaris servers in Seattle. When running the command "/sbin/ifconfig -a/" , I received the following in return:

lo0: flags=1000849
mtu 8232 index 1 inet 127.0.0.1 netmask ff000000 eri0:
flags=1000843
mtu 1500 index 2 inet 10.10.10.21 netmask ff000000
broadcast 10.255.255.255 ether 0:3:ba:18:6f:5

The segment in Seattle is 10.10.10.0 with a subnet of 255.255.255.0 and a Gateway 10.10.10.1; however, this is not what I see above. One of the remote sites uses the 10.140.59.0 segment. Do I have to configure routing tables within each Solaris or just properly configure the ip settings? Can you comment?

Dave's Answer:

Well, my first comment is "um, that's far beyond my own understanding of networking and network configuration", but fortunately one of the Friends of Ask Dave Taylor has come to the rescue with this detailed response:


interesting ... but you do not tell us enough .. for example, is the internet connection via private or public networks? i assume that it is provide by public networks thus there is some "confusion". Also assume that you use some kind of hardware which provides for the VPN tunnels as between remote office and Seattle servers. This I assume because you mention below that the route is 10.10.10.1 which is a class A private IP Address space.

I hope the explanation below helps highlight the position.

SeattleRemote
Private IP 10.10.10.21Private IP 192.168.0.10
Router IP 10.10.10.1Router IP 192.168.0.1
Public Interface IP xxx.xxx.xxx.xxxPublic Interface yyy.yyy.yyy.yyy

VPN Hardware listens on xxx.xxx.xxx.xxx

When VPN Hardware listens on xxx.xxx.xxx.xxx and gets a connection from yyy.yyy.yyy.yyy it will SPAWN a local looking IP Address eg. 10.10.10.55 for itself and assign the other side with a corresponding local looking IP Address eg. 10.10.10.77

The remote side will then start sending all outgoing data from virtual interface 10.10.10.77 (Remote Virtual) --> 10.10.10.55 (Seattle Virtual)

Alongside this, the default route will usually also be 10.10.10.55.

When the Seattle Servers get any incoming on the virtual interface of 10.10.10.55 it treats it as a trusted network connection and assumes that anything incoming with the virtual IP of 10.10.10.77 (Remote) is part of its on LAN.

Note that ALL VPN connectivity server/client is controled by your HARDWARE VPNs. Running ifconfig on the Solaris will do nothing but report whatever static IP assigned to the local NIC.

Its just that the Solaris machines will treat 10.10.10.77 and .55 as local area connections and "should" not be able to notice that it is truely a VPN connection or tunnel.

The important thing to remember here is that VPNs _do not_ use "true" IP Addresses assigned by DHCP/PPP in the usual way. Thats probably why your remote site with 10.140.59.x (real IP) reports accordingly.

To further illustrate the point. If I choose to dial up normally with plain of modem .. the ISP will _assign_ my connection with an IP and for itself with another IP. After that all my outgoing/incoming traffic will be via my assigned IP routed out to the other side where it gets forwarded accordingly.

Quite similar with VPN when the VPN server listens on an interface for incoming request and assignes one for itself and another for the client.. even thru a regular DSL (in otherwords public network).

Hence if you have the software for it ... you may connect to your Seattle VPN connection if the hardware will accept the incoming VPN request and start your VPN session ... even if you were at a cyber-cafe with some outgoing public IP Address space.

Cannot PING

Ping operates at ICMP level and ordinarily root level and/or suid level access is requires to even run ping. Note the suid bit on ping may be removed.

It seems strange to me that if you can ping a .. say network printer at Seattle from remote side, you should also be able to ping your Solaris Servers... one possible explnation is that you may have some kind of IDS (Intrusion Detection System/Prevention) on the Solaris machines and if it cannot make out the incoming ping it rejects it.

Assuming you use Ipsec .. you will need to include #ping -P [blah] coz it needs to go out using the ESP transport mode... i got no experience here but seen man ping. It may be relevant.

Hope this helps.

kjteoh



Help others find this article at Del.icio.us, Digg, Netscape, Reddit, and Stumble Upon    
Categorized: Unix and Linux Help   (Article 6551)
Tagged: ,
Previous: How many songs can I put on my Sony PSP?
Next: On Myspace how do I replace my name with a picture?

Subscribe!

Never miss another useful Q&A article again! Subscribe to AskDaveTaylor with Google Reader.

Comments
Rather amazingly, there are no comments on this article yet.

I have a lot to say, but ...
Starbucks coffee cup I have a lot to say, and questions of my own for that matter, but most of all I'd like to say thank you for all your efforts on this Web site by buying you a chai!

I do have a comment, now that you mention it!











Remember personal info?


Please note that I will never send you any unsolicited commercial email. Ever.

While I'm at it, please note that by submitting a question or comment you're agreeing to my terms of service, which are: you relinquish any subsequent rights of ownership to your material by submitting it on this site.









Uniblue: Free Virus Scan

Follow me on Twitter @DaveTaylor

Search
Find just the answers you seek from among our 2300+ free tech support articles by using our Lijit search engine.


Linux Journal: Free Issue!

Help!
Ask Dave for Help!




Link To Dave!
• Buy Dave a Cuppa •
Media Queries

Subscribe to
Ask Dave Taylor!

Add to Google Reader
Add to My Yahoo!
Subscribe in NewsGator Online

RDF   XML

Free Updates!
Sign up and get free weekly updates and special offers on books, seminars, workshops and more.

Complete Archives

Recent Entries
Book Links
CIG Growing Your Business with Google
Creating Cool Web Sites
Wicked Cool Shell Scripts
Learning Unix for Mac OS X Panther
Solaris 9 for Dummies
Teach Yourself Unix System Administration in 24 Hours
Teach Yourself Unix in 24 Hours
Creating Cool HTML 4 Web Pages
Dynamic HTML Weekend Crash Course
film blog - social media / blogging speaking - business blog - Colorado photography - free tech support
© 2002 - 2009 by Dave Taylor. All Rights Reserved.

Note: This web site is for the purpose of disseminating information for educational purposes, free of charge, for the benefit of all visitors. We take great care to provide quality information. However, we do not guarantee, and accept no legal liability whatsoever arising from or connected to, the accuracy, reliability, currency or completeness of any material contained on this web site or on any linked site.

[whiteboard marker tray]
"Ask Dave Taylor®" is a registered trademark of Intuitive Systems, LLC.