JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
System Administration Guide: IP Services     Oracle Solaris 11 Express 11/10
search filter icon
search icon

Document Information

Preface

Part I TCP/IP Administration

1.  Planning an IPv4 Addressing Scheme (Tasks)

2.  Planning an IPv6 Addressing Scheme (Overview)

3.  Planning an IPv6 Network (Tasks)

4.  Configuring TCP/IP Network Services and IPv4 Addressing (Tasks)

5.  Enabling IPv6 on a Network (Tasks)

6.  Administering a TCP/IP Network (Tasks)

7.  Configuring IP Tunnels

What's New in IP Tunnel Administration

Overview of IP Tunnels

Types of Tunnels

Tunnels in the Combined IPv6 and IPv4 Network Environments

6to4 Tunnels

Topology of a 6to4 Tunnel

Packet Flow Through the 6to4 Tunnel

Considerations for Tunnels to a 6to4 Relay Router

Deploying Tunnels

Requirements for Creating Tunnels

Requirements for Tunnels and IP Interfaces

Tunnel Configuration and Administration With the dladm Command

dladm Subcommands

Configuring Tunnels (Task Map)

How to Create and Configure an IP Tunnel

How to Configure a 6to4 Tunnel

How to Configure a 6to4 Tunnel to a 6to4 Relay Router

How to Modify an IP Tunnel Configuration

How to Display an IP Tunnel's Configuration

How to Display an IP Tunnel's Properties

How to Delete an IP Tunnel

8.  Troubleshooting Network Problems (Tasks)

9.  TCP/IP and IPv4 in Depth (Reference)

10.  IPv6 in Depth (Reference)

Part II DHCP

11.  About DHCP (Overview)

12.  Planning for DHCP Service (Tasks)

13.  Configuring the DHCP Service (Tasks)

14.  Administering DHCP (Tasks)

15.  Configuring and Administering the DHCP Client

16.  Troubleshooting DHCP (Reference)

17.  DHCP Commands and Files (Reference)

Part III IP Security

18.  IP Security Architecture (Overview)

19.  Configuring IPsec (Tasks)

20.  IP Security Architecture (Reference)

21.  Internet Key Exchange (Overview)

22.  Configuring IKE (Tasks)

23.  Internet Key Exchange (Reference)

24.  IP Filter in Oracle Solaris (Overview)

25.   IP Filter (Tasks)

Part IV Networking Performance

26.  Integrated Load Balancer Overview

27.  Configuration of Integrated Load Balancer Tasks

28.  Virtual Router Redundancy Protocol (Overview)

29.  VRRP Configuration (Tasks)

30.  Implementing Congestion Control

Part V IP Quality of Service (IPQoS)

31.  Introducing IPQoS (Overview)

32.  Planning for an IPQoS-Enabled Network (Tasks)

33.  Creating the IPQoS Configuration File (Tasks)

34.  Starting and Maintaining IPQoS (Tasks)

35.  Using Flow Accounting and Statistics Gathering (Tasks)

36.  IPQoS in Detail (Reference)

Glossary

Index

Tunnel Configuration and Administration With the dladm Command

This section describes procedures that use the dladm command to configure tunnels.

dladm Subcommands

Previously, all aspects of IP tunneling configuration required the use of the ifconfig command. Beginning with this Oracle Solaris release, tunnel administration is now separated from IP interface configuration. The data-link aspect of IP tunnels is now administered with the dladm command. Additionally, IP interface configuration, including the IP tunnel interface, is performed with the ipadm command.

To maintain compatibility with the implementation in previous Oracle Solaris releases, the ifconfig command remains as a valid method for configuring tunnel links.

The following subcommands of dladm are used to configure IP tunnels:

For details about the dladm command, refer to the dladm(1M) man page.


Note - IP tunnel administration is closely associated with IPsec configuration. For example, IPsec virtual private networks (VPNs) are one of the primary uses of IP tunneling. For more information about security in Oracle Solaris, see Part III, IP Security. To configure IPsec, see Chapter 19, Configuring IPsec (Tasks).


Configuring Tunnels (Task Map)

Task
Description
For Instructions
Create an IP tunnel.
Configure the tunnel to be used for communicating across networks.
Modify a tunnel's configuration.
Change the tunnel's original parameters, such as the tunnel's source or destination address.
Display a tunnel configuration.
Show configuration information for either a specific tunnel or all of the system's IP tunnels.
Delete a tunnel.
Delete a tunnel configuration.

How to Create and Configure an IP Tunnel

  1. Create the tunnel.
    # dladm create-iptun [-t] -T type -a [local|remote]=addr,... tunnel-link

    The following options or arguments are available for this command:

    -t

    Creates a temporary tunnel. By default, the command creates a persistent tunnel.


    Note - If you want to configure a persistent IP interface over the tunnel, then you must create a persistent tunnel and not use the -t option.


    -T type

    Specifies the type of tunnel you want to create. This argument is required to create all tunnel types.

    -a [local|remote]=address,...

    Specifies literal IP addresses or host names that correspond to the local address and the remote tunnel address. The addresses must be valid and already created in the system. Depending on the type of tunnel, you specify either only one address, or both local and remote addresses. If specifying both local and remote addresses, you must separate the addresses with a comma.

    • IPv4 tunnels require local and remote IPv4 addresses to function.

    • IPv6 tunnels require local and remote IPv6 addresses to function.

    • 6to4 tunnels require a local IPv4 address to function.


    Note - For persistent IP tunnel data-link configurations, if you are using host names for addresses, these host names are saved in the configuration storage. During a subsequent system boot, if the names resolve to IP addresses that are different from the IP addresses used when the tunnel was created, then the tunnel acquires a new configuration.


    tunnel-link

    Specifies the IP tunnel link. With support for meaningful names in a network-link administration, tunnel names are no longer restricted to the type of tunnel that you are creating. Instead, a tunnel can be assigned any administratively chosen name. Tunnel names consist of a string and the physical point of attachment (PPA) number, for example, mytunnel0. For rules governing the assignment of meaningful names, refer to Rules for Valid Link Names in System Administration Guide: Network Interfaces and Network Virtualization.

    If you do not specify the tunnel link, then the name is automatically supplied according to the following naming conventions:

    • For IPv4 tunnels: ip.tun#

    • For IPv6 tunnels: ip6.tun#

    • For 6to4 tunnels: ip.6to4tun#

    The # is the lowest available PPA number for the tunnel type that you are creating.

  2. (Optional) Set values for the hop limit or the encapsulation limit.
    # dladm set-linkprop -p [hoplimit=value] [encaplimit=value] tunnel-link
    hoplimit

    Specifies the hop limit of the tunnel interface for tunneling over IPv6. The hoplimit is the equivalent of the IPv4 time to live (TTL) field for tunneling over IPv4.

    encaplimit

    Specifies the number of levels of nested tunneling that are allowed for a packet. This option applies only to IPv6 tunnels.

    Specifies the number of levels of nested tunneling that are allowed for a packet. This option applies only to IPv6 tunnels.


    Note - The values of that you set for hoplimit and encaplimit must remain within acceptable ranges. The hoplimit and encaplimit are tunnel link properties. Thus, these properties are administered by the same dladm subcommands as for other link properties. The subcommands are dladm set-linkprop, dladm reset-linkprop, and dladm show-linkprop. Refer to the dladm(1M) man page for the different subcommands that are used with the dladm command to administer links.


  3. Create an IP interface over the tunnel.
    # ipadm create-ip tunnel-interface

    where tunnel-interface uses the same name as the tunnel link.

  4. Assign local and remote IP addresses to the tunnel interface.
    # ipadm create-addr [-t] -T static -a local=address,remote=address addrobj
    -t

    Indicates a temporary IP configuration rather than a persistent IP configuration over the tunnel. If you do not use this option, then the IP interface configuration is a persistent configuration.

    -T static

    Indicates that static IP addresses are used instead of the dynamic IP procedures.

    -a local=address,remote=address

    Specifies the IP addresses of the tunnel interface. Both source and destination IP addresses are required, as represented by local and remote. Local and remote addresses can either be IPv4 or IPv6 addresses.

    addrobj

    Specifies the address object that owns the local and remote addresses. The addrobj must use the format interface/user-specified-string. The user-specified-string refers to a string of alphanumeric characters that begins with an alphabet character and has a maximum length of 32 characters.

    For more information about the ipadm command and the different options to configure IP interfaces, including tunnel interfaces, see the ipadm(1M) man page and Part II, Administering Single Interfaces, in System Administration Guide: Network Interfaces and Network Virtualization.

  5. Add the tunnel configuration information to the /etc/hosts file.
  6. (Optional) Verify the status of the tunnel's IP interface configuration.
    # ipadm show-addr interface

Example 7-1 Creating an IPv6 Interface Over an IPv4 Tunnel

This example shows how to create a persistent IPv6 over IPv4 tunnel.

# dladm create-iptun -T ipv4 -a local=63.1.2.3,remote=192.4.5.6 private0
# dladm set-linkprop -p hoplimit=200 private0
# ipadm create-ip private0
# ipadm create-addr -T addrconf private0/v6
# ipadm show-addr private/
ADDROBJ       TYPE     STATE   ADDR
private0/v6   static   ok      fe80::a08:392e/10 --> fe80::8191:9a56

To add alternative addresses, use the same syntax while using a different user-specified-string for addrobj. For example, you can add a global address as follows:

# ipadm create-addr -T static -a local=2001:db8:4728::1, \
remote=2001:db8:4728::2 private0/global
# ipadm show-addr private0/
ADDROBJ          TYPE       STATE   ADDR
private0/v6      addrconf   ok      fe80::a08:392e/10 --> fe80::8191:9a56
private0/global  static     ok      2001:db8:4728::1 --> 2001:db8:4728::2

Note that the prefix 2001:db8 for the IPv6 address is a special IPv6 prefix that is used specifically for documentation examples. For a description of IPv6 addresses and format, see IPv6 Addressing Overview.

Example 7-2 Creating an IPv4 Interface Over an IPv4 Tunnel

This example shows how to create a persistent IPv4 over IPv4 tunnel.

# dladm create-iptun -T ipv4 -a local=63.1.2.3,remote=192.4.5.6 vpn0
# ipadm create-ip vpn0
# ipadm create-addr -T static -a local=10.0.0.1,remote=10.0.0.2 vpn0/v4
# ipadm show-addr
ADDROBJ   TYPE     STATE   ADDR
lo0/v4    static   ok      127.0.0.1
vpn0/v4   static   ok      10.0.0.1-->10.0.0.2

You can further configure IPsec policy to provide secure connections for the packets that flow over this tunnel. For information about IPsec configuration, see Chapter 19, Configuring IPsec (Tasks).

Example 7-3 Creating an IPv6 Interface Over an IPv6 Tunnel

This example shows how to create a persistent IPv6 over IPv6 tunnel.

# dladm create-iptun -T ipv6 -a local=2001:db8:feed::1234,remote=2001:db8:beef::4321 \
tun0
# ipadm create-ip tun0
# ipadm create-addr -T addrconf tun0/v6
# ipadm show-addr
ADDROBJ   TYPE       STATE   ADDR
lo0/v6    static     ok      ::1/128
tun0/v6   addrconf   ok      2001:db8:feed::1234 --> 2001:db8:beef::4321

To add addresses such as a global address or alternative local and remote addresses, use the ipadm command as follows:

# ipadm create-addr -T static \
-a local=2001:db8::4728:56bc,remote=2001:db8::1428:57ab tun0/alt
# ipadm show-addr tun0/
ADDROBJ    TYPE      STATE ADDR
tun0/v6    addrconf  ok    2001:db8:feed::1234 --> 2001:db8:beef::4321
tun0/alt   static    ok    2001:db8::4728:56bc --> 2001:db8::1428:57ab

How to Configure a 6to4 Tunnel

In 6to4 tunnels, a 6to4 router must act as the IPv6 router to the nodes in the network's 6to4 sites. Thus, when configuring a 6to4 router, that router must also be configured as an IPv6 router on its physical interfaces. For more information about IPv6 routing, see IPv6 Routing.

  1. Create a 6to4 tunnel.
    # dladm create-iptun -T 6to4 -a local=address tunnel-link

    The following options or arguments are available for this command:

    -a local=address

    Specifies the tunnel local address, which must already be existing in the system to be a valid address.

    tunnel-link

    Specifies the IP tunnel link. With support for meaningful names in a network-link administration, tunnel names are no longer restricted to the type of tunnel that you are creating. Instead, a tunnel can be assigned any administratively-chosen name. Tunnel names consist of a string and the PPA number, for example, mytunnel0. For rules governing the assignment of meaningful names, refer to Rules for Valid Link Names in System Administration Guide: Network Interfaces and Network Virtualization.

  2. Create the tunnel IP interface.
    # ipadm create-ip tunnel-interface

    where tunnel-interface uses the same name as the tunnel link.

  3. (Optional) Add alternative IPv6 addresses for the tunnel's use.
  4. Edit the /etc/inet/ndpd.conf file to advertise 6to4 routing by adding the following two lines:
    if subnet-interface AdvSendAdvertisements 1
    IPv6-address subnet-interface

    The first line specifies the subnet that receives the advertisement. The subnet-interface refers to the link to which the subnet is connected. The IPv6 address on the second line must have the 6to4 prefix 2000 that is used for IPv6 addresses in 6to4 tunnels.

    For detailed information about the ndpd.conf file, refer to the ndpd.conf(4) man page.

  5. Enable IPv6 forwarding.
    # ipadm set-prop -p forwarding=on ipv6
  6. Reboot the router.

    Alternatively, you can issue a sighup to the /etc/inet/in.ndpd daemon to begin sending router advertisements. The IPv6 nodes on each subnet to receive the 6to4 prefix now autoconfigure with new 6to4-derived addresses.

  7. Add the new 6to4-derived addresses of the nodes to the name service that is used at the 6to4 site.

    For instructions, go to Configuring Name Service Support for IPv6.

Example 7-4 Creating a 6to4 Tunnel

In this example, the subnet interface is bge0 to which the /etc/inet/ndpd.conf will refer in the appropriate step.

This example shows how to create a 6to4 tunnel. Note that only IPv6 interfaces can be configured over 6to4 tunnels.

# dladm create-iptun -T 6to4 -a local=192.168.35.10 tun0
# ipadm create-ip tun0
# ipadm show-addr
ADDROBJ       TYPE     STATE   ADDR
lo0/v4        static   ok      127.0.0.1/8
bge0/static   static   ok      192.168.35.10/24
lo0/v6        static   ok      ::1/128
tun0/_a       static   ok      2002:c0a8:57bc::1/64

# ipadm create-addr -T static -a 2002:c0a8:230a::2/16 tun0/a2
# ipadm create-addr -T static -a 2002:c0a8:230a::3/16 tun0/a3
# ipadm show-addr tun0/
ADDROBJ       TYPE     STATE   ADDR
lo0/v4        static   ok      127.0.0.1/8
bge0/static   static   ok      192.168.35.10/24
lo0/v6        static   ok      ::1/128
tun0/_a       static   ok      2002:c0a8:57bc::1/64
tun0/a2       static   ok      2002:c0a8:230a::2/16
tun0/a3       static   ok      2002:c0a8:230a::3/16

# vi /etc/inet/ndpd.conf
if bge0 AdvSendAdvertisements 1
2002:c0a8:57bc::1/64 bge0

# ipadm set-prop -p forwarding=on ipv6

Note that for 6to4 tunnels, the prefix for the IPv6 address is 2002. For further explanations, see Prefixes in IPv6.

How to Configure a 6to4 Tunnel to a 6to4 Relay Router


Caution

Caution - Because of major security issues, by default, 6to4 relay router support is disabled in Oracle Solaris. See Security Issues When Tunneling to a 6to4 Relay Router.


Before You Begin

Before you enable a tunnel to a 6to4 relay router, you must have completed the following tasks:

  1. Enable a tunnel to the 6to4 relay router by using either of the following formats:
    • Enable a tunnel to an anycast 6to4 relay router.

      # /usr/sbin/6to4relay -e

      The -e option sets up a tunnel between the 6to4 router and an anycast 6to4 relay router. Anycast 6to4 relay routers have the well-known IPv4 address 192.88.99.1. The anycast relay router that is physically nearest to your site becomes the endpoint for the 6to4 tunnel. This relay router then handles packet forwarding between your 6to4 site and a native IPv6 site.

      For detailed information about anycast 6to4 relay routers, refer to RFC 3068, "An Anycast Prefix for 6to4 Relay Routers".

    • Enable a tunnel to a specific 6to4 relay router.

      # /usr/sbin/6to4relay -e -a relay-router-address

      The -a option indicates that a specific router address is to follow. Replace relay-router-address with the IPv4 address of the specific 6to4 relay router with which you want to enable a tunnel.

    The tunnel to the 6to4 relay router remains active until you remove the 6to4 tunnel pseudo-interface.

  2. Delete the tunnel to the 6to4 relay router, when the tunnel is no longer needed:
    # /usr/sbin/6to4relay -d
  3. (Optional) Make the tunnel to the 6to4 relay router persistent across reboots.

    Your site might have a compelling reason to have the tunnel to the 6to4 relay router reinstated each time the 6to4 router reboots. To support this scenario, you must do the following:

    1. Edit the/etc/default/inetinit file.

      The line that you need to modify is at the end of the file.

    2. Change the “NO” value in the line ACCEPT6TO4RELAY=NO to “YES”.
    3. (Optional) Create a tunnel to a specific 6to4 relay router that persists across reboots.

      For the parameter RELAY6TO4ADDR, change the address 192.88.99.1 to the IPv4 address of the 6to4 relay router that you want to use.

Example 7-5 Getting Status Information About 6to4 Relay Router Support

You can use the /usr/bin/6to4relay command to find out whether support for 6to4 relay routers is enabled. The next example shows the output when support for 6to4 relay routers is disabled, as is the default in Oracle Solaris:

# /usr/sbin/6to4relay
6to4relay: 6to4 Relay Router communication support is disabled.

When support for 6to4 relay routers is enabled, you receive the following output:

# /usr/sbin/6to4relay
6to4relay: 6to4 Relay Router communication support is enabled.
IPv4 remote address of Relay Router=192.88.99.1

How to Modify an IP Tunnel Configuration

Example 7-6 Modifying a Tunnel's Address and Properties

This example consists of two procedures. First, the local and remote addresses of the IPv4 tunnel vpn0 are temporarily changed. When the system is later rebooted, the tunnel reverts to using the original addresses. A second procedure changes the hoplimit of vpn0 to 60.

# dladm modify-iptun -t -a local=10.8.48.149,remote=192.1.2.3 vpn0

# dladm set-linkprop -p hoplimit=60 vpn0

How to Display an IP Tunnel's Configuration

Example 7-7 Displaying Information About All Tunnels

In this example, only one tunnel exists on the system.

# dladm show-iptun
LINK     TYPE     FLAGS     LOCAL          REMOTE
tun0     6to4     --       192.168.35.10   --
vpn0     ipv4     --       10.8.48.149     192.1.2.3

Example 7-8 Displaying Selected Fields in a Machine-Parseable Format

In this example, only specific fields with tunnel information are displayed.

# dladm show-iptun -p -o link,type,local
tun0:6to4:192.168.35.10
vpn0:ipv4:10.8.48.149

How to Display an IP Tunnel's Properties

Example 7-9 Displaying a Tunnel's Properties

This example shows how to display all of a tunnel's link properties.

# dladm show-linkprop tun0
LINK     PROPERTY     PERM     VALUE     DEFAULT     POSSIBLE
tun0     autopush     --       --        --          -- 
tun0     zone         rw       --        --          -- 
tun0     state        r-       up        up          up,down 
tun0     mtu          r-       65515     --          576-65495 
tun0     maxbw        rw       --        --          -- 
tun0     cpus         rw       --        --          -- 
tun0     priority     rw       high      high        low,medium,high 
tun0     hoplimit     rw       64        64          1-255

How to Delete an IP Tunnel

  1. Use the appropriate syntax to unplumb the IP interface that is configured over the tunnel depending on the type of interface.
    # ipadm delete-ip tunnel-link

    Note - To successfully delete a tunnel, no existing IP interface can be plumbed on the tunnel.


  2. Delete the IP tunnel.
    # dladm delete-iptun tunnel-link

    The only option for this command is -t, which causes the tunnel to be deleted temporarily. When you reboot the system, the tunnel is restored.

Example 7-10 Deleting an IPv6 Tunnel That is Configured With an IPv6 Interface

In this example, a persistent tunnel is permanently deleted.

# ipadm delete-ip ip6.tun0
# dladm delete-iptun ip6.tun0