HPE Community
Operating System - HP-UX
1837246 Members
4918 Online
110115 Solutions
New Discussion

VPN tunneling with IPSec?

 
Nicolas_17
Frequent Advisor

‎03-29-2005 08:46 AM

‎03-29-2005 08:46 AM

VPN tunneling with IPSec?

Hello,

I was looking for a way to open a vpn tunnel from an HP-UX machine and I think that IPSec is what I need. Basically, what I need to do is adapt a batch file that runs on a windoze machine to run on one of our unix servers. The batch file does a "rasdial" to a server half-way across the world to exchange a file.
The "rasdial" command looks like this:

rasdial "connection_name" USER PASS

Connection_name is a defined windoze "network place" specifying the ip address of the remote server, to use a pptp tunnel and a certificate, etc...

My question is: can I do that from my unix box, and is IPSec what I need?

Thanks.
0 Kudos
15 REPLIES 15
Rick Garland
Honored Contributor

‎03-29-2005 09:04 AM

‎03-29-2005 09:04 AM

Re: VPN tunneling with IPSec?

I know this can be done from Linux - haven't tried HPUX.

0 Kudos
Nicolas_17
Frequent Advisor

‎03-30-2005 01:56 AM

‎03-30-2005 01:56 AM

Re: VPN tunneling with IPSec?

Hi Rick,

Maybe your linux experience can help me. How would you do it?

Thanks,
0 Kudos
Rick Garland
Honored Contributor

‎03-30-2005 03:08 AM

‎03-30-2005 03:08 AM

Re: VPN tunneling with IPSec?

On the internet, there are free programs of the pptp (point-to-point-tunneling-protocol).

I am running with Fedora Core 3.
Had a few rpm binaries I installed with no problems at all.

I did a google search "pptp + linux" and the 1st entry was pptp from sourceforge. All kinds of linux flavors available.

Instructions are available on the site for each flavor offering that is available.
0 Kudos
Todd Whitcher
Esteemed Contributor

‎04-01-2005 12:22 AM

‎04-01-2005 12:22 AM

Re: VPN tunneling with IPSec?

You can download Ipsec for free from www.software.hp.com. It can be configured for host-host vpn.

The manual is online.

http://docs.hp.com/en/J4255-90011/index.html

As far as using rasdial I'm not sure what your options are, Rick had some suggestions for that. Ipsec can set up a secure VPN tunnel for the connection though.

Hope that helps,

Todd
0 Kudos
Nicolas_17
Frequent Advisor

‎04-04-2005 02:19 AM

‎04-04-2005 02:19 AM

Re: VPN tunneling with IPSec?

I'm going through the manual now, actually...thing is, I'm not that fluent with the lingo. I'm learning as I go so it's really slow. If any of you guys have a step-by-step how to on configuring a tunnel, it would be very much appreciated.

In fact, do any of you out there use IPSec as a vpn CLIENT?
0 Kudos
Nicolas_17
Frequent Advisor

‎04-04-2005 03:30 AM

‎04-04-2005 03:30 AM

Re: VPN tunneling with IPSec?

I'm following the user guide and I don't have the same results at all...

The manual has screenshots of the configuration utility gui but the gui I'm getting isn't the same at all. I don't have a bunch of tabs to setup connections like in the manual, instead I have only one: ceetificates.

Any ideas?
0 Kudos
Todd Whitcher
Esteemed Contributor

‎04-04-2005 03:34 AM

‎04-04-2005 03:34 AM

Re: VPN tunneling with IPSec?

You need to use the manual for version 2.0 of IPsec, the earlier version used a GUI to configure everything. Sorry if I posted the wrong link earlier. The later version uses a configuration file, the GUI is only used to set up Certificate Authorities.

http://www.docs.hp.com/en/J4256-90009/index.html

Use the administrators guide for 2.0. There are example configurations in the appendix.



0 Kudos
Nicolas_17
Frequent Advisor

‎04-04-2005 03:44 AM

‎04-04-2005 03:44 AM

Re: VPN tunneling with IPSec?

Aaah! that's better! Glad to see it's command line, guis scare me. I'll give it a shot...thanks a bunch!
0 Kudos
Nicolas_17
Frequent Advisor

‎04-04-2005 06:56 AM

‎04-04-2005 06:56 AM

Re: VPN tunneling with IPSec?

Ok, at the risk of turning this into a howto, I need some help with the configuration here...

Topology:

HP-UX host Frodo [1.1.1.1] in the Shire wants to communicate with Windoze Server Bilbo [2.2.2.2] in Rivendell.

Host Frodo has a specific route that sends the traffic destined for Rivendell to the proxy inside the Shire. That's been tested, it's ok.

Setup:

I used this command to create the host:

ipsec_config add host Frodo -source 1.1.1.1 -destination 2.2.2.2 -pri 20 -action ESP_AES128

I used this command to create the tunnel:

ipsec_config add tunnel Rivendell -tsource 1.1.1.1 -tdestination 2.2.2.2 -action ESP_AES128

Questions:

How do I know what kind of encryption Bilbo wants? Ans what about those certificates? I don't even know where to start. I read somewhere that Windoze uses DES...can't I set up something that tries a bunch of encryptions and eventually gets it right? (I know that sounds weird...but hey, it's worth a shot)

Assuming the connection succeeds, I don't want it open all the time. How can I open and close the tunnel?
0 Kudos
Todd Whitcher
Esteemed Contributor

‎04-04-2005 08:50 AM

‎04-04-2005 08:50 AM

Re: VPN tunneling with IPSec?

Hi Nicolas,

I'm just leaving for the day so I'll have to be short.

You will need to find out what the Windows box has set up by checking the IPsec application on that side, there isnt a command on the HPUX side to check to see how the Windows is set up etc. Most likely you will be using pre-shared keys which you will need to obtain from the admin on the Windows system. If they are using a Certificate Authority there is more work invoved and you will have to make sure its one the HPUX IPSEC product supports.

Keep in Mind that for the IPsec tunnel to come the parameters on Both sides have to match exactly.

Here is the general steps for setting this up w/ a VPN PEER

-Configure the firewall to pass IPsec UDP port 500
-Configure the firewall to pass protocol 50 and 51
- Both sides need to use the same authentication method (pre-shared keys or digital certificates)
-Digital Certificates or Pre-shared keys need to match.( Depends on what you use)
-IKE Main Mode Parameters match
-IKE Security Associates match
-Ipsec Quick Mode SA's match

For ex. if on the HPUX your using AES-128 and the MS system is using DES the tunnel will fail.

Hope that helps, gotta run for now. I'll check the post in the a.m.


0 Kudos
Nicolas_17
Frequent Advisor

‎04-05-2005 08:03 AM

‎04-05-2005 08:03 AM

Re: VPN tunneling with IPSec?

Thanks Todd,

I'm sure the tunnel is secured by certificates so I'm orienting my search towards that.
I'm meeting the network admin tomorrow a.m. and I'm going to try to figure out if we can isolate the certificate that any normal XP machine in our network uses. Then I'll see if I can import that into my IPSec config.

How does that sounds?
0 Kudos
Todd Whitcher
Esteemed Contributor

‎04-05-2005 11:10 PM

‎04-05-2005 11:10 PM

Re: VPN tunneling with IPSec?

A lot of Micro Soft systems will use Micro Soft Certificate Authorities, which HPUX IPsec currently doesnt support. You may have to use pre-shared keys. The manual talks about support for CA's.

Todd
0 Kudos
Nicolas_17
Frequent Advisor

‎04-06-2005 02:24 AM

‎04-06-2005 02:24 AM

Re: VPN tunneling with IPSec?

I see, that's very helpful. It saves me from going crazy over those certificates.
So basically, i need to enable the use of pre-shared keys on the remote side and generate the key-pair locally. Right?
I just hope the admin on the remote side will know what the heck i'm talking about.
0 Kudos
Todd Whitcher
Esteemed Contributor

‎04-06-2005 02:28 AM

‎04-06-2005 02:28 AM

Re: VPN tunneling with IPSec?

Yes, and confirm the options they are using on their side etc. Pre-shared keys are easier to configure.

Todd
0 Kudos
Nicolas_17
Frequent Advisor

‎09-26-2005 02:33 AM

‎09-26-2005 02:33 AM

Re: VPN tunneling with IPSec?

Just noticed I had left this thread open...got it working, thx to all!
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.