HPE Community
Operating System - HP-UX
1752788 Members
6222 Online
108789 Solutions
New Discussion юеВ

Re: vpn on hpux with ipsec

 
SOLVED
Go to solution
paolo barila
Valued Contributor

тАО12-22-2009 06:04 AM

тАО12-22-2009 06:04 AM

vpn on hpux with ipsec

As ssh -w doesn't work on HP-UX like on Linux,
can someone advise howto vpn on HP-UX with ipsec.
Not concerned with security, I need only a vpn a WAN. Will HP Serviceguard work through a ipsec vpn???
Pablo
share share share
0 Kudos
Reply
8 REPLIES 8
Laurent Menase
Honored Contributor

тАО12-22-2009 06:28 AM

тАО12-22-2009 06:28 AM

Solution

Re: vpn on hpux with ipsec

In fact ipsec manual makes a step by step configuration, so just need to follow.

About MC/SG, I am not sure of what you want to do.you want to have a ipsec tunnel enabled in a package? using a vip as wan accessible address?

I never tried.

Reply
Laurent Menase
Honored Contributor

тАО12-22-2009 07:21 AM

тАО12-22-2009 07:21 AM

Re: vpn on hpux with ipsec

http://docs.hp.com/en/J4256-90015/apg.html
says everything about SG config with ipsec
Reply
paolo barila
Valued Contributor

тАО12-23-2009 06:28 AM

тАО12-23-2009 06:28 AM

Re: vpn on hpux with ipsec

so can I put in serviceguard cluster
2 nodes on different vlan?
share share share
0 Kudos
Reply
Viktor Balogh
Honored Contributor

тАО12-23-2009 07:09 AM

тАО12-23-2009 07:09 AM

Re: vpn on hpux with ipsec

>so can I put in serviceguard cluster
2 nodes on different vlan?

read the abovementioned document...

"HP recommends that you have at least one network dedicated to sending and receiving heartbeat messages."

so, to me it means that the nodes can reside on different vlans as long as they have a common network for heartbeat. At least it's the recommended way. And:

"HP strongly recommends that you do not secure heartbeat messages using IPsec (with AH or ESP). However, if you did configure HP-UX IPSec to secure heartbeat messages, increase the NODE_TIMEOUT parameter value in the cluster configuration to allow time for HP-UX IPSec to establish SAs and authenticate or encrypt the heartbeat messages."
****
Unix operates with beer.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО12-23-2009 08:33 AM

тАО12-23-2009 08:33 AM

Re: vpn on hpux with ipsec

Shalom,

Metro Service Guard, a very expensive product will all you to place nodes in different physical locations and networks.

If these nodes are in a data center, they should be on the same network.

There should be a private heartbeat network between the nodes that does not involve IPsec.

This heartbeat network can be as simple as a cross connect cable between the two network cards.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Viktor Balogh
Honored Contributor

тАО12-23-2009 10:13 AM

тАО12-23-2009 10:13 AM

Re: vpn on hpux with ipsec

>This heartbeat network can be as simple as a cross connect cable between the two network cards.

For older version RS-232 was also supported for heartbeat. Now it isn't. see:

http://www.docs.hp.com/en/B3936-90140/ch02s02.html

"Serial (RS232) lines are no longer supported for the cluster heartbeat.

Fibre Channel, Token Ring and FDDI networks are no longer supported as heartbeat or data LANs."

****
Unix operates with beer.
0 Kudos
Reply
OldSchool
Honored Contributor

тАО12-23-2009 10:44 AM

тАО12-23-2009 10:44 AM

Re: vpn on hpux with ipsec

as to "As ssh -w doesn't work on HP-UX like on Linux.."

I don't have an hp-ux installation in front of me at the moment, but do you mean the option doesn't function, or that it doesn't work in the same fashion?

I'd think you could build OpenSSH from the source and having a version that does support "-w", althought the sshd_config file would need to enable tunnels
0 Kudos
Reply
paolo barila
Valued Contributor

тАО12-24-2009 12:39 AM

тАО12-24-2009 12:39 AM

Re: vpn on hpux with ipsec

ssh -w here

http://forums13.itrc.hp.com/service/forums/questionanswer.do?threadId=1348059
share share share
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.