ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaiy_5.4.0.1/rzajaremoteuser.htm

103 lines
6.9 KiB
HTML
Raw Normal View History

2024-04-02 14:02:31 +00:00
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Scenario: Protect an L2TP voluntary tunnel with IPSec" />
<meta name="abstract" content="In this scenario, you learn how to setup a connection between a branch office host and a corporate office that uses L2TP protected by IPSec. The branch office has a dynamically assigned IP address, while the corporate office has a static, globally routable IP address." />
<meta name="description" content="In this scenario, you learn how to setup a connection between a branch office host and a corporate office that uses L2TP protected by IPSec. The branch office has a dynamically assigned IP address, while the corporate office has a static, globally routable IP address." />
<meta name="DC.Relation" scheme="URI" content="rzaiyscenarios.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 1998, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajaremoteuser" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Scenario: Protect an L2TP voluntary tunnel with IPSec</title>
</head>
<body id="rzajaremoteuser"><a name="rzajaremoteuser"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Scenario: Protect an L2TP voluntary tunnel with IPSec</h1>
<div><p>In this scenario, you learn how to setup a connection between a
branch office host and a corporate office that uses L2TP protected by IPSec.
The branch office has a dynamically assigned IP address, while the corporate
office has a static, globally routable IP address.</p>
<div class="section"><h4 class="sectionscenariobar">Situation</h4><p>Suppose
your company has a small branch office in another state. Throughout any given
workday the branch office may require access to confidential information about
an <span class="keyword">iSeries™</span> system within
your corporate intranet. Your company currently uses an expensive leased line
to provide the branch office access to the corporate network. Although your
company wants to continue providing secure access to your intranet, you ultimately
want to reduce the expense associated with the leased line. This can be done
by creating a Layer 2 Tunnel Protocol (L2TP) voluntary tunnel that extends
your corporate network, such that the branch office appears to be part of
your corporate subnet. VPN protects the data traffic over the L2TP tunnel.</p>
<p>With
an L2TP voluntary tunnel, the remote branch office establishes a tunnel directly
to the L2TP network server (LNS) of the corporate network. The functionality
of the L2TP access concentrator (LAC) resides at the client. The tunnel is
transparent to the remote client's Internet Service Provider (ISP), so the
ISP is not required to support L2TP. If you want to read more about L2TP concepts,
see Layer 2 Tunnel Protocol (L2TP).</p>
<div class="important"><span class="importanttitle">Important:</span> This scenario
shows the security gateways attached directly to the Internet. The absence
of a firewall is intended to simplify the scenario. It does not imply that
the use of a firewall is not necessary. Consider the security risks involved
any time you connect to the Internet.</div>
</div>
<div class="section" id="rzajaremoteuser__remoteuserobjective"><a name="rzajaremoteuser__remoteuserobjective"><!-- --></a><h4 class="sectionscenariobar">Objectives</h4><p>In
this scenario, a branch office system connects to its corporate network through
a gateway system with an L2TP tunnel protected by VPN.</p>
<p>The main objectives
of this scenario are:</p>
<ul><li>The branch office system always initiates the connection to the corporate
office.</li>
<li>The branch office system is the only system at the branch office network
that needs access to the corporate network. In other words, its role is that
of a host, not a gateway, in the branch office network.</li>
<li>The corporate system a host computer in the corporate office network.</li>
</ul>
</div>
<div class="section" id="rzajaremoteuser__remoteuserdetails"><a name="rzajaremoteuser__remoteuserdetails"><!-- --></a><h4 class="sectionscenariobar">Details</h4><p>The
following figure illustrates the network characteristics for this scenario: </p>
<br /><img src="rzaja508.gif" alt="Network diagram depicting this and that" /><br /><p><strong>iSeries-A</strong></p>
<ul><li>Must have access to TCP/IP applications on all systems in the corporate
network.</li>
<li>Receives dynamically assigned IP addresses from its ISP.</li>
<li>Must be configured to provide L2TP support.</li>
</ul>
<p><strong>iSeries-B</strong></p>
<ul><li>Must have access to TCP/IP applications on iSeries-A.</li>
<li>Subnet is 10.6.0.0 with mask 255.255.0.0. This subnet represents the data
endpoint of the VPN tunnel at the corporate site.</li>
<li>Connects to the Internet with IP address 205.13.237.6. This is the connection
endpoint. That is, iSeries-B performs key management and applies IPSec to
incoming and outgoing IP datagrams. iSeries-B connects to its subnet with
IP address 10.6.11.1.</li>
</ul>
<p>In L2TP terms, <var class="varname">iSeries-A</var> acts as the L2TP initiator,
while <var class="varname">iSeries-B</var> acts as the L2TP terminator.</p>
</div>
<div class="section" id="rzajaremoteuser__rzajaconfigtask"><a name="rzajaremoteuser__rzajaconfigtask"><!-- --></a><h4 class="sectionscenariobar">Configuration
tasks</h4><p>Assuming that TCP/IP configuration already exists and works,
you must complete the following tasks: </p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzaiyscenarios.htm" title="The scenarios in this topic help you understand how PPP works, and how you can implement a PPP environment in your network. These scenarios introduce fundamental PPP concepts from which beginners and experienced users can benefit before they proceed to the planning and configuration tasks.">Scenarios</a></div>
</div>
</div>
</body>
</html>