topic Re: Don't get SSH VPN Tunneling to work in Operating System - HP-UX

Don't get SSH VPN Tunneling to work

Ralph Grothe — Tue, 16 Jun 2009 07:08:22 GMT

Hi,

as of OpenSSH's 4.3 release the relatively new SSH feature of VPN tunneling should work.

So I downloaded and installed HP's latest Secure Shell (OpenSSH port) for B.11.11 and configured to PermitRootLogins as well as PermitTunnel point-to-point for the SSH server on the HP-UX box which should function as the VPN gateway.

However, when I initiate (so far only manually, when things do work this should be done scripted by RSA authentication) a VPN ssh connection from a Linux SSH client (OpenSSH 4.3) I cannot discover the tun devices, neither on SSH server (HP-UX) nor SSH client (Linux).

Maybe I have missed something?
Has anyone tried the VPN feature with HP's Secure Shell who could give me a hint?

Here's the server side on the HP-UX box:

# uname -srv
HP-UX B.11.11 U

# swlist|grep -i secure\ shell
T1471AA A.05.10.045 HP-UX Secure Shell

# /usr/sbin/sshd -v 2>&1|head -3
sshd: illegal option -- v
OpenSSH_5.1p1+sftpfilecontrol-v1.2-hpn13v5, OpenSSL 0.9.8j 07 Jan 2009
HP-UX Secure Shell-A.05.10.045, HP-UX Secure Shell version

# /usr/sbin/sshd -T|grep -e permitroot -e permittunnel
permitrootlogin yes
permittunnel point-to-point

IP forwarding on the SSH server should also be enabled.

# ndd -h ip_forwarding

ip_forwarding:

Controls how IP hosts forward packets: Set to 0 to inhibit
forwarding; set to 1 to always forward; set to 2 to forward
only if the number of logical interfaces on the system is 2
or more. [0,2] Default: 2

# ndd -get /dev/ip ip_forwarding
2

From the Linux SSH client I issued the following:

# uname -sriv
Linux 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i386

# rpm -q openssh
openssh-4.3p2-16.el5

# ssh -S /var/run/my_%h_tun.sock -fMN -w 0:0 newa
root@newa's password:

# ssh -S /var/run/my_newa_tun.sock -O check newa
Master running (pid=16268)

# ps -fp 16268
UID PID PPID C STIME TTY TIME CMD
root 16268 1 0 09:55 ? 00:00:00 ssh -S /var/run/my_%h_tun.sock -fMN -w 0:0 newa

Now, according to the documentation I read, there should be tun devices be visible and configurable as endpoints for the VPN tunnel on both SSH client and server.

But these don't appear, so that I cannot continue to setup the tunnel.

What went wrong?

No tun device on the Linux SSH client:

# ifconfig -a|grep -c tun
0

None either on the HP-UX SSH server:

# ifconfig tun0
ifconfig: no such interface

# netstat -in|grep -c tun
0

Re: Don't get SSH VPN Tunneling to work

paolo barila — Tue, 22 Dec 2009 09:50:21 GMT

similar problem here

OpenSSH_5.3p1, OpenSSL 0.9.8k 25 Mar 2009

# uname -a
HP-UX epstvm01 B.11.23 U ia64

# ssh -w5:5 0

Tunnel interfaces are not supported on this platform

!!!

Re: Don't get SSH VPN Tunneling to work

mvpel — Tue, 22 Dec 2009 13:26:16 GMT

You guys are using the OpenSSH build, rather than the HP-UX Secure Shell build.

Try uninstalling OpenSSH and installing the T1471AA package - I'm using version A.05.20.013, and A.05.30 is available now.

https://h20392.www2.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=T1471AA

My ssh command doesn't complain about the -w option, though I have Tunnels turned off in the config for security so I can't say for sure if it would actually work if it were enabled.

It may be that whoever built the OpenSSH you're using didn't link it with or enable the tun() pieces.

Re: Don't get SSH VPN Tunneling to work

paolo barila — Tue, 22 Dec 2009 13:30:26 GMT

I tried also with

OpenSSH_5.3p1+sftpfilecontrol-v1.3-hpn13v5, OpenSSL 0.9.8l 5 Nov 2009
HP-UX Secure Shell-A.05.30.008, HP-UX Secure Shell version

but same answer:

# ssh -w5:5 0
Tunnel interfaces are not supported on this platform
Tunnel device open failed.

Re: Don't get SSH VPN Tunneling to work

Laurent Menase — Tue, 22 Dec 2009 13:45:36 GMT

forget it,
tun driver on HPUX is restricted to ppp use only
so ssh will not be able to use tun to open vpn,
the only available vpn on hpux are with ipsec.

Re: Don't get SSH VPN Tunneling to work

mvpel — Tue, 22 Dec 2009 13:45:51 GMT

Nevermind - I misread the post.

Re: Don't get SSH VPN Tunneling to work

paolo barila — Tue, 22 Dec 2009 13:58:23 GMT

Thank you very much Laurent
I can't assign you points, cause is not my question, so I'll open one about vpn

Pablo

Re: Don't get SSH VPN Tunneling to work

Dennis Handly — Tue, 22 Dec 2009 14:41:19 GMT

>Pablo: so I'll open one about VPN

http://forums.itrc.hp.com/service/forums/questionanswer.do?threadId=1395618