HPE Community
Operating System - HP-UX
1834020 Members
3095 Online
110063 Solutions
New Discussion

Re: IPSec between HPUX and Solaris?

 
Danny Webster
Advisor

‎02-25-2004 03:27 AM

‎02-25-2004 03:27 AM

IPSec between HPUX and Solaris?

Hi,

Has anyone managed to get manual-keyed IPSec working between HPUX and Solaris {8|9} ?

I get the usual timeout / broken policy symptoms, although i'm sure they're ok.

For testing purposes, I will be using ESP only, with CBC-DES. Got my SA pair sorted for both boxes, and my policy seems to be sound, as between eachother (solaris-solaris / hpux-hpux / service level policy on ftp/21) all work fine.

Had a stab at it, but on HPUX it seems that you are unable to turn off ESP's authentication mechanism (with MD5/SHA1). I suspect this is where Solaris breaks, even though i've tried ESP with auth_algs of md5. (NB: not AH)

I _haven't_ as yet run tracing on either machine's ipsec implementations, but I thought i'd ask anyway, just incase i'm barking up the wrong tree, so apologies if i'm bypassing a FAQ or something.

Cheers

dan.



feck
0 Kudos
Reply
8 REPLIES 8
Steven E. Protter
Exalted Contributor

‎02-25-2004 03:39 AM

‎02-25-2004 03:39 AM

Re: IPSec between HPUX and Solaris?

I am not certain you have identified the problem.

HP-UX can with enhanced logging inetd -l log all connection attempts. This might get you diagnostics.

With the ssh -v command you can get some pretty verbose diagnostic information on both ends of the connection which would lead to a detailed itrc post or perhaps a software trouble call to HP or Sun.

Since IPSec is standards based, I'd say what you are trying should be possible, though difficult.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Danny Webster
Advisor

‎02-25-2004 03:45 AM

‎02-25-2004 03:45 AM

Re: IPSec between HPUX and Solaris?


Hey there,

Thanks for your response - Sorry for the somewhat diluted post; I was more wondering if someone had actually successfully got HPUX - Solaris IPSec working at all.

I agree that it should be possible, IPSec being a standard, but I guess i'm at the mercy of the quirks between different implementations..?

I'll have a proper stab at it and get some detailed content together if I still have trouble.

thanks

dan.


feck
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎02-25-2004 04:04 AM

‎02-25-2004 04:04 AM

Re: IPSec between HPUX and Solaris?

I think by gathering information with the techniques I've posted will help. Then myself or others will be able to provide detailed assistance.

I have not done that because I don't have access to a Sun box, nor am I well trained on that OS.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Hathairath Duanglaykha
Occasional Advisor

‎07-22-2004 03:53 AM

‎07-22-2004 03:53 AM

Re: IPSec between HPUX and Solaris?

As i know, HP-UX cannot use static encryption key but Solaris can. So if you would like to set IPSec between hp box and sun box. You need to configure IKE on Solaris. IKE bundles on Solaris9, in Solaris 8 have to install SunScreen then configure IKE preshared key. IKE makes Solaris using dynamic encryption key. I have tested between HP-UX 11i and Solaris9, it is working properly. For more configuration in deeply let me know. I will sent you my configuration files.
0 Kudos
Reply
Danny Webster
Advisor

‎07-22-2004 08:14 PM

‎07-22-2004 08:14 PM

Re: IPSec between HPUX and Solaris?

Hi there,

HP-UX can actually do "static" keying (i assume you mean manual) with the new ipsec_config command.

However, i will try the ike daemons on both respective boxen.

If you could send me any config files for a comparison/guide, then that'd be fantastic!

Cheers

dan.
feck
0 Kudos
Reply
Danny Webster
Advisor

‎07-27-2004 02:11 AM

‎07-27-2004 02:11 AM

Re: IPSec between HPUX and Solaris?

Hi Hathairath,

If you wouldn't mind sending me your config files, that'd be grand. Not having the best of luck even with IKE now. :-(

If you could also send some beer, that'd help with my frustration!

Cheers

D
feck
0 Kudos
Reply
Lee Hundley
Valued Contributor

‎08-18-2004 10:00 AM

‎08-18-2004 10:00 AM

Re: IPSec between HPUX and Solaris?

Its entirely possible, but difficult. I've had manual keying working between a FreeBSD and Solaris 9 machine in the past. If I can track down the Solaris config file, which is on a CD somewhere around here, I'll post it.
It is my firm belief that it is a mistake to hold any firm beliefs
0 Kudos
Reply
Danny Webster
Advisor

‎08-18-2004 07:25 PM

‎08-18-2004 07:25 PM

Re: IPSec between HPUX and Solaris?

Hi Lee,

I've had FreeBSD and just about everything else working with IPSEC, but I used Racoon for IKE. (Have you used it? It's ace). If you could post your ipsecinit.conf that would be cool. Thanks!

I did actually get my setup (HP-UX <-> Solaris) working unidirectional with ESP, (from the HP -> Solaris:21), but not in the other direction.

I did even try in.iked on Solaris and ipsec_config add auth on HPUX for ISAKMP, but that didn't work either. I think this type of configuration is frought with peril due to vendor quirks and differences, but i'm not giving up just yet. Not that im trying it every day or anything, only when I have a spare moment.

Cheers for all your help

dan.


feck
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.