Setting up a Hillstone VPN on Linux typically involves using IPsec (IKEv1/IKEv2) or SSL VPN (if supported by your Hillstone firewall). Below are general steps for configuring a VPN connection to a Hillstone firewall from a Linux system.
- IPsec VPN (more common for site-to-site or client-to-site):
- Uses
strongSwan,Libreswan, orOpenSwanon Linux.
- Uses
- SSL VPN (if Hillstone supports it):
- May require a client like
OpenConnectorstunnel.
- May require a client like
Configure IPsec VPN (Using strongSwan)
If your Hillstone firewall uses IPsec (IKEv1/IKEv2), follow these steps:
Install strongSwan
sudo apt update && sudo apt install strongswan # Debian/Ubuntu sudo dnf install strongswan # Fedora/RHEL
Edit IPsec Configuration
Open /etc/ipsec.conf and add:
conn hillstone-vpn
authby=secret
auto=start
ike=aes256-sha1-modp1024
esp=aes256-sha1
keyexchange=ikev1 # or ikev2 (check Hillstone config)
left=%defaultroute
leftsubnet=0.0.0.0/0
right=HILLSTONE_PUBLIC_IP
rightsubnet=REMOTE_SUBNET
type=tunnel
aggressive=no
Edit Secrets File (/etc/ipsec.secrets)
YOUR_LINUX_IP HILLSTONE_PUBLIC_IP : PSK "PRE_SHARED_KEY"
Start IPsec
sudo systemctl restart strongswan sudo ipsec up hillstone-vpn
Check status:
sudo ipsec status
SSL VPN (If Supported)
If Hillstone supports SSL VPN, try using openconnect:
Install OpenConnect
sudo apt install openconnect # Debian/Ubuntu sudo dnf install openconnect # Fedora/RHEL
Connect to VPN
sudo openconnect --protocol=anyconnect HILLSTONE_PUBLIC_IP
(Follow prompts for username/password.)
Troubleshooting
- Check firewall rules (allow UDP 500, 4500 for IPsec).
- Verify PSK, encryption settings match Hillstone config.
- Use
tcpdumpto debug:sudo tcpdump -i eth0 udp port 500 or port 4500
Hillstone Firewall Side
Ensure the Hillstone firewall is configured to:
- Allow IKE/IPsec or SSL VPN.
- Match encryption settings (AES, SHA, DH group).
- Assign IP pool for clients.
Let me know if you need help with specific Hillstone models or advanced configurations!
