1. Home
  2. Support
  3. MultiNet
  4. FAQ
  5. Configuration

MultiNet FAQ: Configuration

 

I'd like to join two sites with a secure tunnel using MultiNet IPSEC on an AlphaServer at each site.

The Generic Interface (GIF) allows for the creation of Virtual Private Networks (VPNs) by encapsulating the traffic directed to the interface's remote address to within an additional IP header, creating a virtual network. If the traffic over this interface is subject to IPSEC, then the virtual network is private.

Each gif interface has four IP addresses that need to be configured:

  1. The local address for the interface.
  2. The remote (point to point peer) address for the interface.
  3. The gateway address for this side of the tunnel.
  4. The gateway address for the remote side of the tunnel.
  5. The gif is configured with the following commands:

    local system: 

    $ MULTINET SET/INTERFACE/CREATE GIFn !n is unit number 
$ MULTINET SET/INTERFACE -GIFn/PROTOCOL=IP/ADDRESS=A.B.C.D/POINT_TO_POINT=E.F.G.H 
$ MULTINET SET/ROUTE/ADD=(DESTINATION=A.B.C.D,GATEWAY=127.0.0.1) 
$ MULTINET SET/ROUTE/ADD=(DESTINATION=E.F.G.H,GATEWAY=A.B.C.D) 
$ MULTINET SET/INTERFACE GIFn/TUNNEL=(DESTINATION=I.J.K.L, -GATEWAY=M.N.O.P)

    remote system: 

    $ MULTINET SET/INTERFACE/CREATE GIFn !n is unit number 
$ MULTINET SET/INTERFACE -GIFn/PROTOCOL=IP/ADDRESS=E.F.G.H/POINT_TO_POINT=A.B.C.D 
$ MULTINET SET/ROUTE/ADD=(DESTINATION=E.F.G.H,GATEWAY=127.0.0.1) 
$ MULTINET SET/ROUTE/ADD=(DESTINATION=A.B.C.D,GATEWAY=E.F.G.H) 
$ MULTINET SET/INTERFACE GIFn/TUNNEL=(DESTINATION=M.N.O.P, -GATEWAY=I.J.K.L)

M.N.O.P is a public IP address (interface) on the local system. I.J.K.L is a public IP address (interface) on the remote system. A.B.C.D is the private network address on the local system. E.F.G.H is the private network address on the remote system. Routing can be set up to pass traffic for other systems through the tunnel. A command procedure could be written to create the tunnel and be used on each side with some minor exchanging of parameters. IPSEC traffic could be statically configured, or managed with the RACOON IPSEC daemon.

To get rid of the tunnel: 

$ MULTINET SET/INTERFACE/DELETE GIFn !delete tunnel and interface 
$ MULTINET SET/ROUTE/DELETE=(DESTINATION=A.B.C.D, GATEWAY=127.0.0.1)

The VPN encapsulates IPv4 traffic within another IPv4 packet (RFC 1853, RFC 2003).

This VPN is not compatible with Microsoft VPN which uses either PPTP (Microsoft Proprietary) or L2TP/IPSec (RFC 2661).

How do I use MultiNet on another node in the cluster that it was not previously installed on?

1. Set the default to the architecture-specific common directory which is device:[MULTINET.arch_COMMON.MULTINET]

  • device is the device that MultiNet was installed on (likely the common system disk)
  • arch is the architecture (either VAX or AXP).

2. Run configure.com, which creates the system-specific directories and logicals and prompts you for information such as the IP address and subnet mask of the system.

3. Start MultiNet (provided you have not had another TCP/IP stack running on this system): 

$ @SYS$SYSDEVICE:[MULTINET.nodename.MULTINET]START_ MULTINET.COM

4. Place this line in the system startup file so MultiNet will start after a system reboot.

In order to run MultiNet on an additional node in a cluster, you will need another license. Contact the Process Software sales department for more information.

How can I verify that my new service is installed?

The entry in the HOSTS.LOCAL file does not define a service for the MultiNet server process to listen for but just associates a port number to a service name. This allows programs to use the getportbyname() call to get the port number for a given service name. To configure the MultiNet server process to listen on a certain port and run a specific program when a request comes in, you have to add the service in MU CONFIG/SERVER. For example to add a service called WATER listening on port 8675 you would do the following: 

$ MULTINET CONFIGURE/SERVER
MultiNet Server Configuration Utility 
[Reading in configuration from MULTINET:SERVICES.MASTER_SERVER]

SERVER-CONFIG> ADD WATER
[Adding new configuration entry for service "WATER"]

Protocol: [TCP] 
TCP Port number: 8675
Program to run: SYS$MANAGER:LOGIN.COM

[Added service WATER to configuration]
[Selected service is now WATER]

SERVER-CONFIG> RESTART
Configuration modified, do you want to save it first ? [YES] Enter

[Writing configuration to MULTINET_COMMON_ROOT:[MULTINET]SERVICES.MASTER_SERVER]
%RUN-S-PROC_ID, identification of created process is 0000011D

SERVER-CONFIG> SHOW WATER/FULL

Service "WATER":
        TCP socket (AF_INET,SOCK_STREAM), Port 8675
        Socket Options = SO_KEEPALIVE
        INIT() = TCP_Init
        LISTEN() = TCP_Listen
        CONNECTED() = TCP_Connected
        SERVICE() = Run_Program
        Program = "SYS$MANAGER:LOGIN.COM"

Note that if the service is a UCX compatible service you need to do a SET FLAGS UCX_SERVER

Can I change MultiNet's IP address without rebooting the system?

Yes, the IP address of an interface can be changed without rebooting, although any existing connections on that interface will be lost.

First make the appropriate changes in NET-CONFIG, then do the following: 

$ MULTINET SET/INTERFACE/DOWN SE0  (or whatever interface you are changing)
$ MULTINET SET/INTERFACE SE0/ADDRESS=new_ip_address/PROTOCOL=IP/VMS_DEVICE=vms_network_device/LINK_LEVEL=ETHERNET/IP_SUBNET=subnet_mask

To find the exact command for your system: 

$ SEARCH/WIN MULTINET: START_MULTINET.COM SE0.

Do I need to add the loopback network when I define the trusted local networks?

Yes, if you define the trusted local networks using the SET LOCAL-NETWORKS command. You must explicitly add the loopback network 127.0.0 0/255.0.0.0. It is not included in your TLN.

I would like to shorten the amount of time a connection is attempted before it is timed out and an error is returned. Can this be done in MultiNet?

This is controlled by the TCP_CONNINIT kernel which is in terms of 0.5 second units. TCP_CONNINIT defaults to 150, so by default, initial TCP connection attempts will time out after about 75 seconds.

To adjust the initial connection attempt timeout, 

$ MULTINET SET/KERNEL TCP_CONNINIT newvalue

Add this command to to the multinet:local_initialization.com file to have it executed each time MultiNet starts.

How do I get the outbound IP to look like the cluster alias IP so the NAT works properly?

You cannot have outbound connections use the cluster alias IP address. This is one of the reasons why it is suggested that it only be used for connectionless protocols (such as NFS) for automatic failover.