Contents

Overview

If the connection between the Charon-SSP host system, including the configured Charon-SSP guest systems, and the rest of the customer’s network runs over a public network as is the case for Charon-SSP cloud instances, it is necessary to secure the traffic against unauthorized access.
The example in this section describes how to configure a bridged SSH-based VPN tunnel between the Charon-SSP cloud host and a remote Linux system across a public network. Topologies that are more complicated will require other, more sophisticated, solutions.

...

• communication between host and guest system,
• communication between customer network and guest system.

Prerequisites

The example shows how to use the Charon Manager on the Charon-SSP host and a set of commands on the remote Linux System to create an SSH VPN tunnel. For this configuration to work, the following prerequisites must be met:

• The remote Linux system must have access to the public IP address and the SSH port of the Charon-SSH host.
• The private key necessary to access the instance must be available on the remote Linux system. 
• The bridge-utils and autossh packages must be installed on the remote Linux system.

Setting up the VPN Tunnel

The image below shows a sample setup. This section describes how to configure this sample setup.

Steps on the Charon-SSP Host System

Creating a VPN Bridge

To configure the SSH VPN connection, you must setup a private VPN bridge (called a virtual network in the Charon context) using the Charon Manager. Use the following steps to perform this task:

...

To learn more about the virtual network configuration options, refer to section Host System Network Configuration. 

Assigning the Guest Ethernet Interface

One of the TAP interfaces created in the step above, must be assigned to the Solaris guest system to add it to the LAN that will be tunneled across SSH to the remote Linux system.

...

 If the emulated instance is currently running, the guest must be shut down and the emulated instance must be restarted for the change to become active.

Steps on the Remote Linux System

 The steps on the Charon-SSP host must be performed first.

...

• Enable IP forwarding on the remote Linux system if it is to act as a router between the tunnel connection and
  other systems in the customer network:
  # /sbin/sysctl -w net.ipv4.ip_forward=1
  (to make permanent: add the setting to /etc/sysctl.conf)
• Add static or dynamic routes to distribute the tunnel subnet to other systems in the customer network that need to communicate with the Solaris guest system across the VPN..
• Adapt the firewall on the remote Linux system as required to allow the VPN traffic to pass.

Steps on the Solaris Guest System

Set the IP address on the Ethernet interface to an address within the VPN subnet. To follow the example above, you would set the address to 192.168.0.33/24. To permanently change the IP address on the Solaris system, change the address in /etc/hosts for the hostname specified in /etc/<interfacename>.hostname. 
On Solaris 11, use the commands ipadm create-ip netX and ipadm create-addr -T static -a <ip-address>/<netmask> netX/v4.

Stopping the SSH Tunnel

To stop the SSH tunnel, perform the following steps on the remote Linux system:

Routing to/from Solaris Guest 

After following the description above, the Solaris guest system can be reached from the systems that are also connected to the virtual bridge (in the example: remote Linux system and host system). To enable the Solaris guest system to communicate with other systems in the customer network (or the Internet) over the VPN connection, perform the following steps:

...

• on Solaris 10: use the route -p command (stores routes in /etc/inet/static_routes).
• on older Solaris versions: add the address of the default gateway to /etc/defaultrouter. 

...

...

Table of contents

Chapter

text...