ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaja_5.4.0.1/rzajaupdscenario.htm

129 lines
8.5 KiB
HTML
Raw Permalink Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Firewall Friendly VPN" />
<meta name="abstract" content="In this scenario, a large insurance company wants to establish a VPN between a gateway in Chicago and a host in Minneapolis when both networks are behind a firewall." />
<meta name="description" content="In this scenario, a large insurance company wants to establish a VPN between a gateway in Chicago and a host in Minneapolis when both networks are behind a firewall." />
<meta name="DC.Relation" scheme="URI" content="rzajascenarios.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaudpplanningworksheets.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaudpconfigurevpn-b.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaudpconfiguresystem-e.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaudpstartconnection.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaudptestconnection.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajasecassociations.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaudpencap.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajaupdscenario" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Firewall Friendly VPN</title>
</head>
<body id="rzajaupdscenario"><a name="rzajaupdscenario"><!-- --></a>
<img src="./delta.gif" alt="Start of change" /><!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Firewall Friendly VPN</h1>
<div><p>In this scenario, a large insurance company wants to establish
a VPN between a gateway in Chicago and a host in Minneapolis when both networks
are behind a firewall.</p>
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>Suppose
you are a large home owners insurance company based in Minneapolis and you
just opened a new branch in Chicago. Your Chicago branch needs to access the
customer database from the Minneapolis headquarters. You want to make sure
the information being transferred is secure because the database contains
confidential information about your customers such as, names, addresses, and
phone numbers. You decide to connect both branches over the internet using
a Virtual Private Network (VPN). Both branches are behind a firewall and are
using Network Address Translation (NAT) to hide their unregistered private
IP addresses behind a set of registered IP addresses. However, VPN connections
have some well known incompatibilities with NAT. A VPN connection discards
packets sent through a NAT device because NAT changes the IP address in the
packet, thereby invalidating the packet. However, you can still use a VPN
connection with NAT if you implement UDP encapsulation. </p>
<p>In this scenario,
the private IP address from the Chicago network is put in a new IP header
and gets translated when it goes through Firewall-C (see following image).
Then, when the packet reaches the Firewall-D, it will translate the destination
IP address to the IP address of System-E, therefore the packet will be forwarded
to System-E. Finally, when the packet reaches System-E it strips off the UDP
header, leaving the original IPSec packet, which will now pass all validations
and allow a secure VPN connection.</p>
</div>
<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>In this
scenario, a large insurance company wants to establish a VPN between a gateway
in Chicago (Client) and a host in Minneapolis (Server) when both networks
are behind a firewall.</p>
<p>The objectives of this scenario are as follows:</p>
<ul><li>The Chicago branch gateway always initiates the connection to the Minneapolis
host.</li>
<li>The VPN must protect all data traffic between the Chicago gateway and
the Minneapolis host.</li>
<li>Allow all users in the Chicago gateway to access an <span class="keyword">iSeries™</span> database
located in the Minneapolis network over a VPN connection.</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Details</h4><p>The following
figure illustrates the network characteristics for this scenario:</p>
<br /><img src="rzaja526.gif" longdesc="The image displays the flow of information over a VPN connection from Gateway-B in Chicago to System-E in Minneapolis. Both networks are protected by NATs but the VPN connection works because UDP is implemented. " alt="" /><br /><p><span class="uicontrol">Chicago Network - Client</span></p>
<ul><li><span class="keyword">iSeries</span> Gateway-B runs
on<span class="keyword">i5/OS™</span> Version 5 Release
4 (V5R4)</li>
<li>Gateway-B connects to the internet with IP address 214.72.189.35 and is
the connection end point of the VPN tunnel. Gateway-B performs IKE negotiations
and applies UDP encapsulation to outgoing IP datagrams.</li>
<li>Gateway-B and PC-A is in subnet 10.8.11.0 with mask 255.255.255.0</li>
<li>PC-A is the source and destination for data that flows through the VPN
connection, therefore it is the data endpoint of the VPN tunnel.</li>
<li>Only Gateway-B can initiate the connection with System-E.</li>
<li>Firewall-C has a Masq NAT rule with the public IP address of 129.42.105.17
that hides the IP address of Gateway-B</li>
</ul>
<p><span class="uicontrol">Minneapolis Network - Server</span></p>
<ul><li><span class="keyword">iSeries</span> System-E runs on <span class="keyword">i5/OS</span> Version 5 Release 4 (V5R4)</li>
<li>System-E has an IP address of 56.172.1.1. </li>
<li>System-E is the responder for this scenario.</li>
<li>Firewall-D has and IP address of 146.210.18.51.</li>
<li>Firewall-D has a Static NAT rule that maps the public IP (146.210.18.15)
to the private IP of System-E (56.172.1.1). Therefore, from the clients perspective
the IP address of System-E is the public IP address (146.210.18.51) of Firewall-D.
</li>
</ul>
</div>
<div class="section"><h4 class="sectionscenariobar">Configuration tasks</h4></div>
</div>
<div>
<ol>
<li class="olchildlink"><a href="rzajaudpplanningworksheets.htm">Complete the planning worksheets</a><br />
</li>
<li class="olchildlink"><a href="rzajaudpconfigurevpn-b.htm">Configure VPN on Gateway-B</a><br />
</li>
<li class="olchildlink"><a href="rzajaudpconfiguresystem-e.htm">Configure VPN on System-E</a><br />
</li>
<li class="olchildlink"><a href="rzajaudpstartconnection.htm">Start Connection</a><br />
</li>
<li class="olchildlink"><a href="rzajaudptestconnection.htm">Test Connection</a><br />
</li>
</ol>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajascenarios.htm" title="Review these scenarios to become familiar with the technical and configuration details involved with each of these basic connection types.">VPN scenarios</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajasecassociations.htm" title="A dynamic VPN provides additional security for your communications by using the Internet Key Exchange (IKE) protocol for key management. IKE allows the VPN servers on each end of the connection to negotiate new keys at specified intervals.">Key management</a></div>
<div><a href="rzajaudpencap.htm" title="UDP encapsulation allows IPSec traffic to pass through a conventional NAT device. Review this topic for more information about what it is and why you should use it for your VPN connections.">NAT compatible IPSec with UDP</a></div>
</div>
</div>
<img src="./deltaend.gif" alt="End of change" /></body>
</html>