Hi, yes, they can. However, you can’t use the same tun device name e.g. tun0 in the GZ and NGZ as tun module is not zone aware. See https://github.com/joyent/smartos-live/issues/626 <https://github.com/joyent/smartos-live/issues/626>.
Adam > On Nov 25, 2016, at 8:15 AM, Jim Klimov <[email protected]> wrote: > > 24 ноября 2016 г. 23:30:06 CET, [email protected] пишет: >> Ok, I see. >> If I follow the SFE way, could I have an issue running OpenVPN server >> over TUN on GZ and wanting to run Openconnect client over TUN in NGZ ? >> Like the device /dev/tun is both used in GZ and NGZ. >> >> Best regards. >> Ben >> >> ----- Mail original ----- >> De: "Thomas Wagner" <[email protected]> >> À: "Discussion list for OpenIndiana" >> <[email protected]> >> Envoyé: Vendredi 25 Novembre 2016 10:16:51 >> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN >> >> For SFE we've solved this by just adding the driver modules to the NGZ >> as dead files. So there is no install contraint regarding zones-type. >> That way the IPS dependency just matches in any case. >> >> I use a driver match rule in the NGZ to get tun passed through: >> <device match="/dev/tun"/> >> >> Thomas >> >> On Thu, Nov 24, 2016 at 09:15:11PM +0100, [email protected] wrote: >>> By the way, is there a way to install openconnect in a zone ? >>> I can't seem to get it running because tap driver doesn't want to >> install : >>> >>> vpnzone# pkg install openconnect >>> Creating Plan (Running solver): | >>> pkg install: No matching version of network/openconnect can be >> installed: >>> Reject: >> pkg://openindiana.org/network/[email protected]:20161119T064832Z >>> Reason: No version matching 'require' dependency >> driver/network/tap can be installed >>> ---------------------------------------- >>> Reject: >> pkg://openindiana.org/driver/network/[email protected]:20160730T021914Z >>> Reason: This version is excluded by installed incorporation >> consolidation/userland/[email protected] >>> Reject: >> pkg://openindiana.org/driver/network/[email protected]:20161124T055026Z >>> >> pkg://openindiana.org/driver/network/[email protected]:20161124T172113Z >>> Reason: Package supports image variant >> variant.opensolaris.zone=[global] but doesn't support this image's >> variant.opensolaris.zone (nonglobal) >>> ---------------------------------------- >>> Reject: >> pkg://openindiana.org/network/[email protected]:20161119T114634Z >>> Reason: No version matching 'require' dependency >> driver/network/tap can be installed >>> >>> >>> Best regards. >>> Ben >>> >>> ----- Mail original ----- >>> De: "Jim Klimov" <[email protected]> >>> À: "Discussion list for OpenIndiana" >> <[email protected]>, "Andrey Sokolov" >> <[email protected]> >>> Envoyé: Vendredi 25 Novembre 2016 07:07:36 >>> Objet: Re: [OpenIndiana-discuss] Cisco IPSec VPN >>> >>> 16 ноÑ�брÑ� 2016 г. 14:02:44 CET, Andrey Sokolov >> <[email protected]> пишет: >>>> Hi! >>>> I use >>> >>> http://pkg.openindiana.org/sfe/info/0/system%2Fnetwork%2Fvpnc%400.5.3%2C5.11-0.151.1.5%3A20120819T093748Z >>>> >>>> 2016-11-14 15:35 GMT+03:00 Jim Klimov <[email protected]>: >>>> >>>>> Hi all, >>>>> >>>>> I am faced with a prospect of connecting to a remote network >> behind >>>> Cisco >>>>> IPSec VPN (the one with user, password, group and shared keys; >> will >>>> be >>>>> practically trying sometime soon this week). Should I expect it to >>>> work in >>>>> OI Hipster out of the box? Are there docs/blogs on it, or would >>>> Oracle docs >>>>> I found so far (some hints about conf files and then ipadm tun >>>> commands) be >>>>> relevant here? Or should I try some other OS right away? >>>>> >>>>> TIA, Jim >>>>> -- >>>>> Typos courtesy of K-9 Mail on my Samsung Android >>>>> >>>>> _______________________________________________ >>>>> openindiana-discuss mailing list >>>>> [email protected] >>>>> https://openindiana.org/mailman/listinfo/openindiana-discuss >>>>> >>>> _______________________________________________ >>>> openindiana-discuss mailing list >>>> [email protected] >>>> https://openindiana.org/mailman/listinfo/openindiana-discuss >>> >>> Thanks, >>> >>> In the end vpnc did work for me; also I saw that openconnect could >> connect to Juniper/Cisco SSL VPNs... so I couldn't resist and now both >> are packaged in OI/Hipster userland ;) >>> >>> Thanks, >>> Jim >>> -- >>> Typos courtesy of K-9 Mail on my Samsung Android >>> >>> _______________________________________________ >>> openindiana-discuss mailing list >>> [email protected] >>> https://openindiana.org/mailman/listinfo/openindiana-discuss >>> >>> _______________________________________________ >>> openindiana-discuss mailing list >>> [email protected] >>> https://openindiana.org/mailman/listinfo/openindiana-discuss >>> >> >> -- >> -- >> Thomas Wagner >> >> ------------------------------------------------------------------------ >> Service rund um UNIX(TM), Wagner Network Services, Thomas Wagner >> Solaris(TM), Linux(TM) Eschenweg 21, 89174 Altheim, Germany >> Windows(TM) TEL: +49-731-9807799, FAX: >> +49-731-9807711 >> Telekommunikation, LAN, MOBILE/CELL: +49-171-6135989 >> Internet-Service, Elektronik EMAIL: [email protected] >> >> _______________________________________________ >> openindiana-discuss mailing list >> [email protected] >> https://openindiana.org/mailman/listinfo/openindiana-discuss >> >> _______________________________________________ >> openindiana-discuss mailing list >> [email protected] >> https://openindiana.org/mailman/listinfo/openindiana-discuss > > I think this coexistence should not be a problem - several programs can call > the tun/tap driver interfaces to spawn and tear down virtual tunX or tapY IP > interfaces. I don't think it matters from which zone the request comes to the > driver, although with 'match' it may be that all zones will see all such NICs > (not sure about IP side). So far I used openvpn in either a gz or ngz on a > single machine, so do not have practice mixing that (would ip stack go crazy > or not?). > > If you can experiment and find this does not blow up to coexist, please write > ;) PRs also welcome, but at least info from the trenches would be good... > > Jim > -- > Typos courtesy of K-9 Mail on my Samsung Android > > _______________________________________________ > openindiana-discuss mailing list > [email protected] > https://openindiana.org/mailman/listinfo/openindiana-discuss _______________________________________________ openindiana-discuss mailing list [email protected] https://openindiana.org/mailman/listinfo/openindiana-discuss
