...

• In this scenario any direct traffic between host and guest system (if configured with a public IP address) and external systems reachable via the Internet gateway is not encrypted by default. If this traffic runs across a public network, it is exposed to being monitored and even modified by third parties. The user is responsible for ensuring data protection conforming to the user's company security rules. It is strongly recommended to use encrypted VPN connections for any sensitive traffic.
• Guest operating systems are often old and no longer maintained by the original vendor. This means they are more easily compromised by attacks from the Internet. Therefore, direct Internet access for the guest system is not recommended.
• The actual configuration steps vary depending on the cloud environment used. The sample configuration below will have to be adapted to the specific environment.
• If you are using the Charon-PAR emulator, it is recommended not to assign the dedicated NIC directly to the emulator, but use a MACVTAP interface connected to the dedicated NIC instead. Please refer to the Ethernet configuration section of the Charon-PAR user's guide for detailed information's guide for detailed information. The preparation of the dedicated NIC for use with a MACVTAP interface is the same as described below.

Configuration Examples

Important information:

...

• The sample configuration assumes a CentOS 7 system and that the interface is configured outside the control of the NetworkManager.
• Should the NetworkManager be active, the plugin ifcfg-rh must be enabled in section main of the NetworkManager configuration file /etc/NetworkManager/NetworkManager.conf. It enables the NetworkManager to read and write ifcfg-files.
• After the initial creation of the ifcfg-file, the interface can be managed by the Charon-SSP Manager.
• For the full feature-set of the file-based network configuration, the network-scripts package is required.

To make the second interface usable for the Charon guest system, perform the following steps:

1. Add a second interface to your instance as described in the cloud-specific Getting Started guide and your cloud provider's documentation.
   
   
2. Log into the instance and become the root user (use: sudo -i)
   
   
3. Identify the names of the two Ethernet interfaces:
   # ip link show
   
   
4. Create an interface configuration file for the second interface.
   1. A file for the first interface may exist depending on the default of the cloud environment. In this case, you can copy  Example (use correct interface name for your configuration):
      # cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth1


   2. If there is no file that can be copied, you must create the ifcfg-file for the new interface manually.
      
      
5. Edit this file to match the characteristics of eth1 (use correct interface name for your configuration). The private IP address used for this interface will be assigned to the guest system. Therefore, configure the Linux Interface without IP address, similar to the example below.
   
   BOOTPROTO=none
DEVICE=eth1
NAME=eth1
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
NM_CONTROLLED=no 
   
   Please note:
   On some cloud platforms, the automatic cloud-specific configuration prevents the entries in the ifcfg-file to take effect (for example on GCP). Please refer to your cloud-provider's documentation and the Network Management section in the Getting Started Guide of your version for additional information.       


6. Restart the network:
   # systemctl restart network
Please note: Should there be an error when executing this command, kill the DHCP client process and retry the command.

NetworkManager-based Configuration Examples

...

# nmcli conn mod eth1 ipv4.method manual"disabled" ipv4ipv6.address 0.0.0.0method "disabled"

c) Configure automatic interface activation at boot:

...

# nmcli conn add con-name eth1 type ethernet ifname eth1 autoconnect yes ipv4.method manual"disabled" ipv4ipv6.addresses 0.0.0.0method "disabled"

4. (Re-)Activate the connection (this command may time out if IP connection check is enabled):

# nmcli con up eth1

...