SSH Tunnel

InfiNet devices allow to create up to 16 independent L2 tunnels over SSH. The tap interface can have an IP address, can be used for routing and be a part of a switch group. In addition, the tap interface can be used as the parent for the vlan, lag and prf interfaces and be used as part of the MINT network.

SSH Tunnel between two InfiNet devices

To configure first device that performs the server function, create the "tap0" interface and assign the "192.168.1.1/24" IP address to it. Set the "ssh_tun" login and "$ecRet" password for the created interface. Set the size of the SSH server internal reception window, for maximum performance the "-window" parameter on both tunnel sides should be set to 128000 or more. Set the duration of the session activity check to 30 seconds. Enable SSH daemon.

 ifc tap0 192.168.1.1/24 up
 sshd tunnel add ssh_tun $ecRet tap0
 sshd -window=128000 -keepalive=30
 sshd start

Configure the second device same way, create the "tap0" interface and assign the "192.168.1.2/24" IP address to it. Set the parameters of internal window, check duration and server interface value, if "tap0" interface was created on server, "-remote-if=0" command should be used. Login and password must match those on the remote side. Optionally, we can specify the encryption algorithm, the key exchange algorithm and other tunnel parameters. A list of supported algorithms is displayed by the command: "sshtun tap0 -algo-list", where "kex" - SSH key exchange algorithms, "hostkey" - authentication, "cipher" - data coding, "hash" - data verification and "compress" - data compression. Enable SSH daemon. In order to enable SSH tunnel, enter the "sshtun start" command.

 ifc tap0  192.168.1.2/24 up
 sshtun tap0 -window=128000 -keepalive=30 -remote-if=0
 sshtun tap0 ssh_tun:$ecRet@192.168.1.1 start
 sshtun tap0 -cipher-algos=aes256-cbc -kex-algos=diffie-hellman-group1-sha1 -hostkey-algos=ssh-rsa  -hash-algos=hmac-sha1 -comp-algos=none
 sshd start
 sshtun start

• At opposite ends of the tunnel is possible to configure IP addresses from different subnets on tap interfaces (for example 192.168.1.1/24 and 192.168.100.1/24). However, this configuration requires static routes on the both sides configured by the command:

route add <net>/<mask> <local_interface_ip_address> -iface

When adding a route with the address of the local interface as a gateway and the "-iface" option, packets will be sent through this interface (in our case tap0).

• To configure an SSH tunnel using a port other than "22".

On the server:

Add the "sshd -port" command with port value in range 1...32767.

sshd -port 32000

On the client:

To the command specifying the server address, login and password, add the port number.

sshtun tap0 ssh_tun:$ecRet@10.10.10.1:32000

• Between two devices more than one SSH tunnel can be configured. To do this, create additional tap-interfaces.

ifc tap0 192.168.1.1/24 up
sshd tunnel add ssh_tun $ecRet tap0
sshd -window=128000 -keepalive=30
sshd start
ifc tap1 192.168.100.1/24 up
sshd tunnel add ssh_tun $ecRet tap1
sshd -window=128000 -keepalive=30
sshd start

ifc tap0  192.168.1.2/24 up
sshtun tap0 -window=128000 -keepalive=30 -remote-if=0
sshtun tap0 ssh_tun:$ecRet@192.168.1.1 start
sshd start
sshtun start
ifc tap1  192.168.100.2/24 up
sshtun tap1 -window=128000 -keepalive=30 -remote-if=1
sshtun tap1 ssh_tun:$ecRet@192.168.100.1 start
sshtun start

SSH Tunnel between the InfiNet device and client running openssh

InfiNet device is configured as described above.

ifc tap0 10.10.20.1/24 up
sshd tunnel add TEST QQTEST tap0
sshd start

In this example, the client device is a server with Debian OS. Install the uml-utilities package on the client device first.

tunctl
ifconfig tap0 up
ifconfig tap0 10.10.20.2/24
ssh -N –o Tunnel=Ethernet –w 0:0 TEST@10.10.20.1

After that the system will request a password and a tunnel for data transmission will be established. To make the tunnel run in the background, use the command:

ssh -fN –o Tunnel=Ethernet –w 0:0 TEST@10.10.20.1