How to Create and Configure an IP Tunnel

Language:

Become the root role.
Create the tunnel.
```
# dladm create-iptun [-t] -T type -a [local|remote]=addr,... tunnel-link
```
–t

Creates a temporary tunnel. By default, the command creates a persistent tunnel.

If you want to configure a persistent IP interface over the tunnel, then you must create a persistent tunnel and not use the –t option.

–T type

Specifies the type of tunnel you want to create. This argument is required to create all tunnel types.

–a [local|remote]=address,...
Specifies literal IP addresses or host names that correspond to the local address and the remote tunnel address. The addresses must be valid and already created in the system. Depending on the type of tunnel, you specify either only one address, or both local and remote addresses. If specifying both local and remote addresses, you must separate the addresses with a comma.
- IPv4 tunnels require local and remote IPv4 addresses to function.
- IPv6 tunnels require local and remote IPv6 addresses to function.
- 6to4 tunnels require a local IPv4 address to function.
Note - For persistent IP tunnel data-link configurations, if you are using host names for addresses, these host names are saved in the configuration storage. During a subsequent system boot, if the names resolve to IP addresses that are different from the IP addresses used when the tunnel was created, then the tunnel acquires a new configuration.
tunnel-link

Specifies the IP tunnel link. With support for meaningful names in a network-link administration in this release, tunnel names are no longer restricted to the type of tunnel that you are creating. Instead, you can assign any administratively chosen name to a tunnel. Tunnel names consist of a string and the physical point of attachment (PPA) number, for example, mytunnel0. For rules governing the assignment of meaningful names, refer to Rules for Valid Link Names in Configuring and Administering Network Components in Oracle Solaris 11.2 .
(Optional) Set values for the hop limit or the encapsulation limit.
```
# dladm set-linkprop -p [hoplimit=value] [encaplimit=value] tunnel-link
```
hoplimit

Specifies the hop limit of the tunnel interface for tunneling over IPv6. The hoplimit is the equivalent of the IPv4 time to live (TTL) field for tunneling over IPv4.

encaplimit

Specifies the number of levels of nested tunneling that are allowed for a packet. This option applies only to IPv6 tunnels.

The values that you set for the hoplimit and encaplimit properties must remain within acceptable ranges. The hoplimit and encaplimit properties are tunnel link properties. Thus, these properties are administered by the same dladm subcommands as other link properties. The subcommands that you use are dladm set-linkprop, dladm reset-linkprop, and dladm show-linkprop.
Create an IP interface over the tunnel.
```
# ipadm create-ip tunnel-interface
```
where tunnel-interface uses the same name as the tunnel link.
Assign local and remote IP addresses to the tunnel interface.
```
# ipadm create-addr [-t] -a local=address,remote=address interface
```
where interface specifies the tunnel interface.

For more information, see the ipadm (1M) man page and Configuring and Administering Network Components in Oracle Solaris 11.2 .
(Optional) Verify the status of the tunnel's IP interface configuration.
```
# ipadm show-addr interface
```

Example 5-1 Creating an IPv6 Interface Over an IPv4 Tunnel

The following example shows how you would create a persistent IPv6 over IPv4 tunnel.

# dladm create-iptun -T ipv4 -a local=192.0.2.23,remote=203.0.113.14 private0
# dladm set-linkprop -p hoplimit=200 private0
# ipadm create-ip private0
# ipadm create-addr -T addrconf private0
private0/v6
# ipadm show-addr private0/
ADDROBJ           TYPE     STATE        ADDR
private0/v6       addrconf ok fe80::c000:217->fe80::cb00:710e

To add alternative addresses, use the same syntax. For example, you can add a global address as follows:

# ipadm create-addr -a local=2001:db8:4728::1,remote=2001:db8:4728::2 private0
private0/v6a
# ipadm show-addr private0/
ADDROBJ           TYPE     STATE        ADDR
private0/v6       addrconf ok fe80::c000:217->fe80::cb00:710e
private0/v6a      static   ok 2001:db8:4728::1->2001:db8:4728::2

Note that the prefix 2001:db8 for the IPv6 address is a special IPv6 prefix that is used specifically for documentation examples.

Example 5-2 Creating an IPv4 Interface Over an IPv4 Tunnel

The following example shows how you would create a persistent IPv4 over IPv4 tunnel.

# dladm create-iptun -T ipv4 -a local=192.0.2.23,remote=203.0.113.14 vpn0
# ipadm create-ip vpn0
# ipadm create-addr -a local=10.0.0.1,remote=10.0.0.2 vpn0
vpn0/v4
# ipadm show-addr vpn0/
ADDROBJ           TYPE     STATE        ADDR
vpn0/v4           static   ok 10.0.0.1->10.0.0.2

You can further configure IPsec policy to provide secure connections for the packets that flow over this tunnel. For information, see Chapter 7, Configuring IPsec, in Securing the Network in Oracle Solaris 11.2 .

Example 5-3 Creating an IPv6 Interface Over an IPv6 Tunnel

The following example shows how you would create a persistent IPv6 over IPv6 tunnel.

# dladm create-iptun -T ipv6 -a local=2001:db8:feed::1234,remote=2001:db8:beef::4321 tun0
# ipadm create-ip tun0
# ipadm create-addr -T addrconf tun0
tun0/v6
# ipadm show-addr tun0/
ADDROBJ           TYPE     STATE        ADDR
tun0/v6           addrconf ok fe80::1234->fe80::4321

To add addresses, for example, a global address or alternative local and remote addresses, use the ipadm command as follows:

# ipadm create-addr -a local=2001:db8:cafe::1,remote=2001:db8:cafe::2 tun0
tun0/v6a
# ipadm show-addr tun0/
ADDROBJ           TYPE     STATE        ADDR
tun0/v6           addrconf ok fe80::1234->fe80::4321
tun0/v6a          static   ok 2001:db8:cafe::1->2001:db8:cafe::2