129 lines
8.5 KiB
HTML
129 lines
8.5 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
|||
|
<!DOCTYPE html
|
|||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|||
|
<html lang="en-us" xml:lang="en-us">
|
|||
|
<head>
|
|||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
|||
|
<meta name="security" content="public" />
|
|||
|
<meta name="Robots" content="index,follow" />
|
|||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
|||
|
<meta name="DC.Type" content="concept" />
|
|||
|
<meta name="DC.Title" content="Scenario: Firewall Friendly VPN" />
|
|||
|
<meta name="abstract" content="In this scenario, a large insurance company wants to establish a VPN between a gateway in Chicago and a host in Minneapolis when both networks are behind a firewall." />
|
|||
|
<meta name="description" content="In this scenario, a large insurance company wants to establish a VPN between a gateway in Chicago and a host in Minneapolis when both networks are behind a firewall." />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzajascenarios.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzajaudpplanningworksheets.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzajaudpconfigurevpn-b.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzajaudpconfiguresystem-e.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzajaudpstartconnection.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzajaudptestconnection.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzajasecassociations.htm" />
|
|||
|
<meta name="DC.Relation" scheme="URI" content="rzajaudpencap.htm" />
|
|||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
|||
|
<meta name="DC.Format" content="XHTML" />
|
|||
|
<meta name="DC.Identifier" content="rzajaupdscenario" />
|
|||
|
<meta name="DC.Language" content="en-us" />
|
|||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
|||
|
<!-- US Government Users Restricted Rights -->
|
|||
|
<!-- Use, duplication or disclosure restricted by -->
|
|||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
|||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
|||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
|||
|
<title>Scenario: Firewall Friendly VPN</title>
|
|||
|
</head>
|
|||
|
<body id="rzajaupdscenario"><a name="rzajaupdscenario"><!-- --></a>
|
|||
|
<img src="./delta.gif" alt="Start of change" /><!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
|||
|
<h1 class="topictitle1">Scenario: Firewall Friendly VPN</h1>
|
|||
|
<div><p>In this scenario, a large insurance company wants to establish
|
|||
|
a VPN between a gateway in Chicago and a host in Minneapolis when both networks
|
|||
|
are behind a firewall.</p>
|
|||
|
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>Suppose
|
|||
|
you are a large home owner’s insurance company based in Minneapolis and you
|
|||
|
just opened a new branch in Chicago. Your Chicago branch needs to access the
|
|||
|
customer database from the Minneapolis headquarters. You want to make sure
|
|||
|
the information being transferred is secure because the database contains
|
|||
|
confidential information about your customers such as, names, addresses, and
|
|||
|
phone numbers. You decide to connect both branches over the internet using
|
|||
|
a Virtual Private Network (VPN). Both branches are behind a firewall and are
|
|||
|
using Network Address Translation (NAT) to hide their unregistered private
|
|||
|
IP addresses behind a set of registered IP addresses. However, VPN connections
|
|||
|
have some well known incompatibilities with NAT. A VPN connection discards
|
|||
|
packets sent through a NAT device because NAT changes the IP address in the
|
|||
|
packet, thereby invalidating the packet. However, you can still use a VPN
|
|||
|
connection with NAT if you implement UDP encapsulation. </p>
|
|||
|
<p>In this scenario,
|
|||
|
the private IP address from the Chicago network is put in a new IP header
|
|||
|
and gets translated when it goes through Firewall-C (see following image).
|
|||
|
Then, when the packet reaches the Firewall-D, it will translate the destination
|
|||
|
IP address to the IP address of System-E, therefore the packet will be forwarded
|
|||
|
to System-E. Finally, when the packet reaches System-E it strips off the UDP
|
|||
|
header, leaving the original IPSec packet, which will now pass all validations
|
|||
|
and allow a secure VPN connection.</p>
|
|||
|
</div>
|
|||
|
<div class="section"><h4 class="sectionscenariobar">Objectives</h4><p>In this
|
|||
|
scenario, a large insurance company wants to establish a VPN between a gateway
|
|||
|
in Chicago (Client) and a host in Minneapolis (Server) when both networks
|
|||
|
are behind a firewall.</p>
|
|||
|
<p>The objectives of this scenario are as follows:</p>
|
|||
|
<ul><li>The Chicago branch gateway always initiates the connection to the Minneapolis
|
|||
|
host.</li>
|
|||
|
<li>The VPN must protect all data traffic between the Chicago gateway and
|
|||
|
the Minneapolis host.</li>
|
|||
|
<li>Allow all users in the Chicago gateway to access an <span class="keyword">iSeries™</span> database
|
|||
|
located in the Minneapolis network over a VPN connection.</li>
|
|||
|
</ul>
|
|||
|
</div>
|
|||
|
<div class="section"><h4 class="sectionscenariobar">Details</h4><p>The following
|
|||
|
figure illustrates the network characteristics for this scenario:</p>
|
|||
|
<br /><img src="rzaja526.gif" longdesc="The image displays the flow of information over a VPN connection from Gateway-B in Chicago to System-E in Minneapolis. Both networks are protected by NAT’s but the VPN connection works because UDP is implemented. " alt="" /><br /><p><span class="uicontrol">Chicago Network - Client</span></p>
|
|||
|
<ul><li><span class="keyword">iSeries</span> Gateway-B runs
|
|||
|
on<span class="keyword">i5/OS™</span> Version 5 Release
|
|||
|
4 (V5R4)</li>
|
|||
|
<li>Gateway-B connects to the internet with IP address 214.72.189.35 and is
|
|||
|
the connection end point of the VPN tunnel. Gateway-B performs IKE negotiations
|
|||
|
and applies UDP encapsulation to outgoing IP datagrams.</li>
|
|||
|
<li>Gateway-B and PC-A is in subnet 10.8.11.0 with mask 255.255.255.0</li>
|
|||
|
<li>PC-A is the source and destination for data that flows through the VPN
|
|||
|
connection, therefore it is the data endpoint of the VPN tunnel.</li>
|
|||
|
<li>Only Gateway-B can initiate the connection with System-E.</li>
|
|||
|
<li>Firewall-C has a Masq NAT rule with the public IP address of 129.42.105.17
|
|||
|
that hides the IP address of Gateway-B</li>
|
|||
|
</ul>
|
|||
|
<p><span class="uicontrol">Minneapolis Network - Server</span></p>
|
|||
|
<ul><li><span class="keyword">iSeries</span> System-E runs on <span class="keyword">i5/OS</span> Version 5 Release 4 (V5R4)</li>
|
|||
|
<li>System-E has an IP address of 56.172.1.1. </li>
|
|||
|
<li>System-E is the responder for this scenario.</li>
|
|||
|
<li>Firewall-D has and IP address of 146.210.18.51.</li>
|
|||
|
<li>Firewall-D has a Static NAT rule that maps the public IP (146.210.18.15)
|
|||
|
to the private IP of System-E (56.172.1.1). Therefore, from the clients perspective
|
|||
|
the IP address of System-E is the public IP address (146.210.18.51) of Firewall-D.
|
|||
|
</li>
|
|||
|
</ul>
|
|||
|
</div>
|
|||
|
<div class="section"><h4 class="sectionscenariobar">Configuration tasks</h4></div>
|
|||
|
</div>
|
|||
|
<div>
|
|||
|
<ol>
|
|||
|
<li class="olchildlink"><a href="rzajaudpplanningworksheets.htm">Complete the planning worksheets</a><br />
|
|||
|
</li>
|
|||
|
<li class="olchildlink"><a href="rzajaudpconfigurevpn-b.htm">Configure VPN on Gateway-B</a><br />
|
|||
|
</li>
|
|||
|
<li class="olchildlink"><a href="rzajaudpconfiguresystem-e.htm">Configure VPN on System-E</a><br />
|
|||
|
</li>
|
|||
|
<li class="olchildlink"><a href="rzajaudpstartconnection.htm">Start Connection</a><br />
|
|||
|
</li>
|
|||
|
<li class="olchildlink"><a href="rzajaudptestconnection.htm">Test Connection</a><br />
|
|||
|
</li>
|
|||
|
</ol>
|
|||
|
|
|||
|
<div class="familylinks">
|
|||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajascenarios.htm" title="Review these scenarios to become familiar with the technical and configuration details involved with each of these basic connection types.">VPN scenarios</a></div>
|
|||
|
</div>
|
|||
|
<div class="relconcepts"><strong>Related concepts</strong><br />
|
|||
|
<div><a href="rzajasecassociations.htm" title="A dynamic VPN provides additional security for your communications by using the Internet Key Exchange (IKE) protocol for key management. IKE allows the VPN servers on each end of the connection to negotiate new keys at specified intervals.">Key management</a></div>
|
|||
|
<div><a href="rzajaudpencap.htm" title="UDP encapsulation allows IPSec traffic to pass through a conventional NAT device. Review this topic for more information about what it is and why you should use it for your VPN connections.">NAT compatible IPSec with UDP</a></div>
|
|||
|
</div>
|
|||
|
</div>
|
|||
|
<img src="./deltaend.gif" alt="End of change" /></body>
|
|||
|
</html>
|