[NCLUG] HP's vpn from a home network

Bob Proulx bob at proulx.com
Fri Aug 15 21:19:57 MDT 2003 

Matt Rosing wrote:
> My wife needs to move onto our home network that connects to a cable
> modem.  Her machine needs to connect, via a vpn, to some other machine
> at HP.  I can ping that machine but the vpn stuff doesn't work.  I'm
> assuming it has something to do with my firewall and I need to open
> some ports up.  Does anyone know which ports are needed?  I'm using
> smoothwall for my firewall and it has a bunch of vpn stuff but I don't
> think that has anything to do with this. Or am I wrong about that, too?

As others noted the firewall needs to allow IP protocol 50 for the
data transmission and UDP port 500, both source and destination, for
the key exchange.  HP and Agilent both use the Nortel Extranet Client
for the VPN solution.  This works (barely) using the UDP timers in
most firewalls.  Your client talks out through the NAT and opens a
circuit which is good for 90 seconds for return traffic.  The other
end responds back through the open circuit.

My Cisco 675 DSL modem handles this fine out of the box.  The linux
2.4.x kernel with netfilter and iptables works fine too.  But the
2.0.x kernel does not handle this case so if you are running the older
kernel you are past due for an upgrade.  I never used the 2.2.x kernel
and have no data there.

Using tcpdump and looking at your logs on your firewall while debuging
this can be informative about what is getting passed through and what
is getting blocked.

<drift>

There are some fundamental design problems with the IPsec based VPNs.
Such as the requirement that port 500 be used for both source and
destination for the key exchange.  That does not work very well with
NAT.  If you have only one machine behind the NAT it can work okay
since you can dedicate a circuit to that machine with port forwarding.
But if you have two people in the same house that need the VPN active
then the two circuits conflict with each other.  If they randomly
exchange keys at different times things work.  If they randomly
exchange keys within the same window of time then one connection
loses and is dropped.  Yes, I am a two VPN household.

The CES from Contivity which HP tried to use initially wanted to
initiate the UDP port 500 key exchange traffic.  But of course all
firewalls would block that unassociated inbound connection.  It was
required to configure a port forward through the NAT to a single host.
But the Bay Networks hardware worked the other way and worked fine.  I
believe they eventually modified the CES firmware to be passive and
have the other end behind the NAT initiate the key exchanges in order
to make this work.  The lesson?  Working through firewalls is very
implementation and configuration dependent.  General statements are
hard to make.

Last time I checked there are 55 RFCs which describe IPsec, most of
which is confusing and conflicting.  With the passing of Jon Postel
the internet RFCs lack cohesion.  So VPN solutions can't be criticized
out of hand for having a hard time making this work.

</drift>

Bob

More information about the NCLUG mailing list