103 lines
6.9 KiB
HTML
103 lines
6.9 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="concept" />
|
||
|
<meta name="DC.Title" content="Scenario: Protect an L2TP voluntary tunnel with IPSec" />
|
||
|
<meta name="abstract" content="In this scenario, you learn how to setup a connection between a branch office host and a corporate office that uses L2TP protected by IPSec. The branch office has a dynamically assigned IP address, while the corporate office has a static, globally routable IP address." />
|
||
|
<meta name="description" content="In this scenario, you learn how to setup a connection between a branch office host and a corporate office that uses L2TP protected by IPSec. The branch office has a dynamically assigned IP address, while the corporate office has a static, globally routable IP address." />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzaiyscenarios.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzajaremoteuser" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Scenario: Protect an L2TP voluntary tunnel with IPSec</title>
|
||
|
</head>
|
||
|
<body id="rzajaremoteuser"><a name="rzajaremoteuser"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Scenario: Protect an L2TP voluntary tunnel with IPSec</h1>
|
||
|
<div><p>In this scenario, you learn how to setup a connection between a
|
||
|
branch office host and a corporate office that uses L2TP protected by IPSec.
|
||
|
The branch office has a dynamically assigned IP address, while the corporate
|
||
|
office has a static, globally routable IP address.</p>
|
||
|
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>Suppose
|
||
|
your company has a small branch office in another state. Throughout any given
|
||
|
workday the branch office may require access to confidential information about
|
||
|
an <span class="keyword">iSeries™</span> system within
|
||
|
your corporate intranet. Your company currently uses an expensive leased line
|
||
|
to provide the branch office access to the corporate network. Although your
|
||
|
company wants to continue providing secure access to your intranet, you ultimately
|
||
|
want to reduce the expense associated with the leased line. This can be done
|
||
|
by creating a Layer 2 Tunnel Protocol (L2TP) voluntary tunnel that extends
|
||
|
your corporate network, such that the branch office appears to be part of
|
||
|
your corporate subnet. VPN protects the data traffic over the L2TP tunnel.</p>
|
||
|
<p>With
|
||
|
an L2TP voluntary tunnel, the remote branch office establishes a tunnel directly
|
||
|
to the L2TP network server (LNS) of the corporate network. The functionality
|
||
|
of the L2TP access concentrator (LAC) resides at the client. The tunnel is
|
||
|
transparent to the remote client's Internet Service Provider (ISP), so the
|
||
|
ISP is not required to support L2TP. If you want to read more about L2TP concepts,
|
||
|
see Layer 2 Tunnel Protocol (L2TP).</p>
|
||
|
<div class="important"><span class="importanttitle">Important:</span> This scenario
|
||
|
shows the security gateways attached directly to the Internet. The absence
|
||
|
of a firewall is intended to simplify the scenario. It does not imply that
|
||
|
the use of a firewall is not necessary. Consider the security risks involved
|
||
|
any time you connect to the Internet.</div>
|
||
|
</div>
|
||
|
<div class="section" id="rzajaremoteuser__remoteuserobjective"><a name="rzajaremoteuser__remoteuserobjective"><!-- --></a><h4 class="sectionscenariobar">Objectives</h4><p>In
|
||
|
this scenario, a branch office system connects to its corporate network through
|
||
|
a gateway system with an L2TP tunnel protected by VPN.</p>
|
||
|
<p>The main objectives
|
||
|
of this scenario are:</p>
|
||
|
<ul><li>The branch office system always initiates the connection to the corporate
|
||
|
office.</li>
|
||
|
<li>The branch office system is the only system at the branch office network
|
||
|
that needs access to the corporate network. In other words, its role is that
|
||
|
of a host, not a gateway, in the branch office network.</li>
|
||
|
<li>The corporate system a host computer in the corporate office network.</li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
<div class="section" id="rzajaremoteuser__remoteuserdetails"><a name="rzajaremoteuser__remoteuserdetails"><!-- --></a><h4 class="sectionscenariobar">Details</h4><p>The
|
||
|
following figure illustrates the network characteristics for this scenario: </p>
|
||
|
<br /><img src="rzaja508.gif" alt="Network diagram depicting this and that" /><br /><p><strong>iSeries-A</strong></p>
|
||
|
<ul><li>Must have access to TCP/IP applications on all systems in the corporate
|
||
|
network.</li>
|
||
|
<li>Receives dynamically assigned IP addresses from its ISP.</li>
|
||
|
<li>Must be configured to provide L2TP support.</li>
|
||
|
</ul>
|
||
|
<p><strong>iSeries-B</strong></p>
|
||
|
<ul><li>Must have access to TCP/IP applications on iSeries-A.</li>
|
||
|
<li>Subnet is 10.6.0.0 with mask 255.255.0.0. This subnet represents the data
|
||
|
endpoint of the VPN tunnel at the corporate site.</li>
|
||
|
<li>Connects to the Internet with IP address 205.13.237.6. This is the connection
|
||
|
endpoint. That is, iSeries-B performs key management and applies IPSec to
|
||
|
incoming and outgoing IP datagrams. iSeries-B connects to its subnet with
|
||
|
IP address 10.6.11.1.</li>
|
||
|
</ul>
|
||
|
<p>In L2TP terms, <var class="varname">iSeries-A</var> acts as the L2TP initiator,
|
||
|
while <var class="varname">iSeries-B</var> acts as the L2TP terminator.</p>
|
||
|
</div>
|
||
|
<div class="section" id="rzajaremoteuser__rzajaconfigtask"><a name="rzajaremoteuser__rzajaconfigtask"><!-- --></a><h4 class="sectionscenariobar">Configuration
|
||
|
tasks</h4><p>Assuming that TCP/IP configuration already exists and works,
|
||
|
you must complete the following tasks: </p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiyscenarios.htm" title="The scenarios in this topic help you understand how PPP works, and how you can implement a PPP environment in your network. These scenarios introduce fundamental PPP concepts from which beginners and experienced users can benefit before they proceed to the planning and configuration tasks.">Scenarios</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|