1748169 Members
4301 Online
108758 Solutions
New Discussion юеВ

Re: VPN on VMS

 
SOLVED
Go to solution
DECxchange
Regular Advisor

VPN on VMS

Hello,
Is it possible to set up a VPN connection directly between two Alphas located at two different sites? Can one of those sites be residential?

I'm using OpenVMS 8.3 on each and running TCP/IP services. I'm also running DECnet Phase V.

Thanks.
20 REPLIES 20
Jon Pinkley
Honored Contributor
Solution

Re: VPN on VMS

Re: "Is it possible to set up a VPN connection directly between two Alphas located at two different sites?"

It depends on your definition of VPN. You can use SSH but I am not aware of any way to tunnel DECnet phase V through an SSH connection. Perhaps Colin Butcher knows of a method.

According to the OpenVMS roadmaps IPSec is coming, but not for a while (2009). http://h71000.www7.hp.com/openvms/roadmap/openvms_roadmaps.htm?jumpid=/go/openvms/roadmaps

I assume you want the two Alphas to be able to communicate using DECnet Phase V vs. just having a user on one Alpha SSH to the other Alpha over the internet.

Re: "Can one of those sites be residential?"

What is different about residential? Dynamic ip address? ISP filtering? Please explain.

Depending on what your requirements are, SSH may be good enough. If you want LAN to LAN (aka Site to Site) VPN, you should at least consider using dedicated devices for the VPN.

Linksys BEFVP41's are "consumer grade" Routers that act as IPSec VPN endpoints. They work reasonably well. As long as one end has a static IP address, they can maintain a VPN connection, and reestablish a new one even if the dynamic IP address is changed. They have hardware encryption chips so the performance is better than for the cheaper Linksys BEFSX41 that does VPN in software. The BEFVP41 are around $110 each, and you will need one on each end. They have ethernet connections for the WAN and LAN (4-port switch), so you will need something that has ethernet handoff.

A similar device I have never used is the D-Link DI-804HV, which is cheaper than the BEFVP41 and gets better reviews on Amazon than the BEFVP41, but it is a discontinued product.

For more money (around 5 times as much) you can get more flexible devices like the Cisco871-SEC-K9, but setting them up without a static IP at each end is more involved.

Jon
it depends
DECxchange
Regular Advisor

Re: VPN on VMS

Jon,
Great info. Thanks. I have AT&T DSL at home and Cavalier DSL at the shop. DECbet copies would be great but I'll settle for TCP/IP stuff.

I also have a buddy in Sweden. It would be nice to be able to let him login with his VAXstation.

I was going to talk to AT&T about it, but it's kind of painful because they only know about PC stuff.

Thanks again.
Robert Gezelter
Honored Contributor

Re: VPN on VMS

DECxchange,

You should also take a look at the STunnel support. OpenVMS STunnel (available for all three architectures: Itanium, Alpha, and VAX) is described on the HP OpenVMS www site at: http://h71000.www7.hp.com/opensource/opensource.html#stunnel

From the Release Notes (available from the above URL):

"SSL for OpenVMS product is a port of OpenSSL (www.openssl.org) to OpenVMS Alpha & I64. This is a supported layered product that ships with OpenVMS version 7.3-1 or later. The kit also can be downloaded from the HP OpenVMS web site http://h71000.www7.hp.com/openvms/products/ssl/ssl.html)."

- Bob Gezelter, http://www.rlgsc.com
Hein van den Heuvel
Honored Contributor

Re: VPN on VMS

If I read your question correctly, then I'm afraid my answer will not help much.
On the other hand... if you just want 'simple' access to an OpenVMS server at home from the outside, then you may be able to convince your (DSL) router to do the right thing.
When I needed this once, while travelling, I used a port map defintion to poke a tiny hole through the firewall into the right local target.
You may also check out the 'DMZ' options on the router. Again, sorry if this is too simplistic, but just in case...

fwiw,
Hein.
Steven Schweda
Honored Contributor

Re: VPN on VMS

Why a VPN? What's wrong with plain old
Telnet, rsh, ssh, and so on?

So far as I know, TCPIP knows nothing about
VPNs, but if you have external gizmos which
provide one, it dosn't need to know anything
about them. One IP router looks the same as
another to it.

> Can one of those sites be residential?

Why should VMS care? antinode.org is
entirely residential, with a DSL connection
through a Cisco 678 DSL modem/router (which
seems to be much more suitable than the junk
which Qwest is offering nowadays).

> I also have a buddy in Sweden. It would be
> nice to be able to let him login with his
> VAXstation.

What stops him now? Your DSL gizmo? (Which
is what, by the way?) If you have a DSL
modem/router, or a DSL modem with a separate
IP router, then you should be able to tell
the (NAT-capable) router to pass FTP (ports
20,21), ssh (port 22), Telnet (port 23),
rexec,rlogin (ports 512,513), X (ports 6000,
6001, ...), and so on to the machine of your
choice. I routinely log into my main Alpha
from other sites, usually by Telnet. (It
also does DNS and SMTP, and the FTP and HTTP
servers.)

> DECbet copies would be great but I'll
> settle for TCP/IP stuff.

I don't use it, but I gather that DECnet Plus
can do DECnet over IP.

It often helps to (define and) state your
actual requirements, rather than ask how to
implement what may be the wrong solution (a
VPN).
M. T. Hollinger
Occasional Advisor

Re: VPN on VMS

Note that IPsec is already available from HP for OpenVMS in early adopter's kit (EAK) form, but not for the VAX platform. SSH is fully supported, including port forwarding, for Alpha and Integrity systems.

Particularly for a home configuration involving an old VAXstation, I'd agree with the other responses that the easiest way to set up a VPN (if you actually need one) would involve consumer-grade router boxes.

- Mark
DECxchange
Regular Advisor

Re: VPN on VMS

Hello,
Thank for you for all of your responses, advice, and interest. As Steve pointed out, here is my situation.

At home, I have DSL through AT&T. I have a 2-Wire 2701HG-B Gateway. The 2-wire allows me to implement DMZ for one computer on the inside of its Firewall.

So in order for me to serve web pages with my Alphaserver OpenVMS 8.3 eBusiness web server, I set the DMZ for the Alpha's DHCP assigned (by the 2-Wire) IP address.

This is changing the subject al little, but tne trouble is, I'm using dynamic IP addressing. Static would cost me an additional $69/month, in addition to the $24/month just to have DSL. So you can see why I wouldn't buy static!!!!

BTW, so every time the DSL line drops and comes back, I the 2-wire assigns a new address to the DMZ computer, which is no longer the Alpha's IP name (e.g., decxchange.com). It assigns DMZ to .2wire.com or something like that.

So to fix this, I need to shut down and restart TCPIP services on the Alpha, reassign DMZ on the 2-wire, then go to AT&T's "Small Business" web site, and reassign address forwarding.

This happens WAY to often, and I just don't have time to babysit it. OK, so that's another issue that needs to be fixed. Back to the subject at hand.

On the other end, a small business in town, they have DSL through a company called Cavalier. It looks like he has just a DSL modem given to him by Cavalier. So I was going to call Cavalier next week and find out how his IP addresses are assigned to his PCs and what kind of firewall (if any?) is in use.

So I wanted to put another one of my Alphas in his busines's shop and set up either or both a TCP/IP and DECnet OSI Phase V link between home and his shop. I wanted to setup a web site that Alphas at either location could be a backup to each other.

Now all of your ideas look promising and I'm going to investigate them. I still have a lot to learn at this level of internet setup, as you probably can see.

Thanks for having a constructive conversation with me. Any other useful comments are welcomed.
Andy Bustamante
Honored Contributor

Re: VPN on VMS

You may want to consider a dynamic DNS provider, http://www.dyndns.com. You'd need another system on the internal network to provide the update agent.

Can you configure your DSL unit to forward to the Alphaserver's address? Have you considered using static private addressing in your DMZ, this could allow you to set static rules.


Andy
If you don't have time to do it right, when will you have time to do it over? Reach me at first_name + "." + last_name at sysmanager net
Steven Schweda
Honored Contributor

Re: VPN on VMS

> [...] the Alpha's DHCP assigned (by the
> 2-Wire) IP address.

That would seem to be the first thing to
change. I don't see how NAT will be able to
locate a moving target. Around here, all the
normal systems have static (10.0.0.x) IP
addresses. The Cisco 678 is configured to
offer DHCP (at 10.0.0.224 - .239) for
transient client-only systems who happen to
visit. Anything which wants to be a server
of any sort should have a static address, at
least internally.

> Static would cost me an additional
> $69/month [...]

Do I have the only good ISP in the country?

Having been at 209.98.249.184 for years, I
don't need to worry about it, but I gather
that a dynamic DNS provider can be used to
cope with a changing external address.
Internally, it's up to you to create a stable
environment.

I have a couple of friends with Cable TV or
DSL who have only simple-minded non-routing
Cable or DSL modems, but they also have them
connected to (cheap and nasty) IP routers,
which gives them capabilities similar to
mine.