161 lines
13 KiB
HTML
161 lines
13 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="task" />
|
||
|
<meta name="DC.Title" content="Configure VPN on iSeries-A" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzajaremoteuser.htm" />
|
||
|
<meta name="DC.Relation" scheme="URI" content="rzajaconfigureapppconnection.htm" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzajaconfigurevpnoniseriesa3" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Configure VPN on iSeries-A</title>
|
||
|
</head>
|
||
|
<body id="rzajaconfigurevpnoniseriesa3"><a name="rzajaconfigurevpnoniseriesa3"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<h1 class="topictitle1">Configure VPN on iSeries-A</h1>
|
||
|
<div><div class="section"><p>Follow these steps to configure VPN on iSeries-A:</p>
|
||
|
</div>
|
||
|
<ol><li><span><span class="uicontrol">Configure the Internet Key Exchange policy</span></span><ol type="a"><li class="substepexpand"><span>In <span class="keyword">iSeries™ Navigator</span>,
|
||
|
expand iSeries-A<span class="menucascade"><span class="uicontrol"></span> > <span class="uicontrol">Network</span> > <span class="uicontrol">IP Policies</span> > <span class="uicontrol">Virtual Private Networking</span> > <span class="uicontrol">IP Security Policies</span></span>.</span> </li>
|
||
|
<li class="substepexpand"><span>Right-click <span class="uicontrol">Internet Key Exchange Policies</span> and
|
||
|
select <span class="uicontrol">New Internet Key Exchange Policy</span>.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Remote Server</span> page, select <span class="uicontrol">Version
|
||
|
4 IP address</span> as the identifier type and then enter <samp class="codeph">205.13.237.6</samp> in
|
||
|
the <span class="uicontrol">IP address</span> field.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Associations</span> page, select <span class="uicontrol">Preshared
|
||
|
key</span> to indicate that this connection uses a preshared key to authenticate
|
||
|
this policy.</span></li>
|
||
|
<li class="substepexpand"><span>Enter the preshared key in the <span class="uicontrol">Key</span> field.
|
||
|
Treat your preshared key like a password.</span></li>
|
||
|
<li class="substepexpand"><span>Select <span class="uicontrol">Key Identifier</span> for the local key
|
||
|
server identifier type, and then enter the key identifier in the <span class="uicontrol">Identifier</span> field.
|
||
|
For example, <samp class="codeph">thisisthekeyid</samp>. Remember that the local key
|
||
|
server has a dynamically assigned IP address which is impossible to know in
|
||
|
advance. iSeries-B uses this identifier to identify the iSeries-A when iSeries-A
|
||
|
initiates a connection.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Transforms</span> page, click <span class="uicontrol">Add</span> to
|
||
|
add the transforms that iSeries-A proposes to iSeries-B for key protection
|
||
|
and to specify whether the IKE policy uses identity protection when initiating
|
||
|
phase 1 negotiations.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">IKE Policy Transform</span> page, select <span class="uicontrol">Preshared
|
||
|
key</span> for your authentication method, <span class="uicontrol">SHA</span> for
|
||
|
your hash algorithm, and <span class="uicontrol">3DES-CBC</span> for your encryption
|
||
|
algorithm. Accept the default values for Diffie-Hellman group and Expire IKE
|
||
|
keys after.</span></li>
|
||
|
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to return to the <span class="uicontrol">Transforms</span> page.</span></li>
|
||
|
<li class="substepexpand"><span>Select <span class="uicontrol">IKE aggressive mode negotiation (no identity
|
||
|
protection).</span></span> <div class="note"><span class="notetitle">Note:</span> If you use preshared keys and aggressive
|
||
|
mode negotiation together in your configuration, select obscure passwords
|
||
|
that are unlikely to be cracked in attacks that scan the dictionary. It is
|
||
|
also recommended you periodically change your passwords.</div>
|
||
|
</li>
|
||
|
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to save your configurations.</span></li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li><span><span class="uicontrol">Configure the data policy</span></span><ol type="a"><li class="substepexpand"><span>From the VPN interface, right-click <span class="uicontrol">Data policies</span> and
|
||
|
select <span class="uicontrol">New Data Policy</span></span> </li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">General</span> page, specify the name
|
||
|
of the data policy. For example, <samp class="codeph">l2tpremoteuser</samp></span></li>
|
||
|
<li class="substepexpand"><span>Go to the <span class="uicontrol">Proposals</span> page. A proposal
|
||
|
is a collection of protocols that the initiating and responding key servers
|
||
|
use to establish a dynamic connection between two endpoints. You can use a
|
||
|
single data policy in several connection objects. However, not all remote
|
||
|
VPN key servers necessarily have the same data policy properties. Therefore,
|
||
|
you can add several proposals to one data policy. When establishing a VPN
|
||
|
connection to a remote key server, there must be at least one matching proposal
|
||
|
in the data policy of the initiator and the responder.</span></li>
|
||
|
<li class="substepexpand"><span>Click <span class="uicontrol">Add</span> to add a data policy transform</span></li>
|
||
|
<li class="substepexpand"><span>Select <span class="uicontrol">Transport</span> for the encapsulation
|
||
|
mode.</span></li>
|
||
|
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to return to the <span class="uicontrol">Transforms</span> page.</span></li>
|
||
|
<li class="substepexpand"><span>Specify a key expiration value.</span></li>
|
||
|
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to save your new data policy.</span></li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li><span><span class="uicontrol">Configure the dynamic-key group</span></span><ol type="a"><li class="substepexpand"><span>From the VPN interface, expand <span class="uicontrol">Secure Connections</span>.</span> </li>
|
||
|
<li class="substepexpand"><span>Right-click <span class="uicontrol">By Group</span> and select <span class="uicontrol">New
|
||
|
Dynamic-Key Group</span>.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">General</span> page, specify a name for
|
||
|
the group. For example, <samp class="codeph">l2tptocorp</samp>.</span></li>
|
||
|
<li class="substepexpand"><span>Select <span class="uicontrol">Protects a locally initiated L2TP tunnel</span>.</span></li>
|
||
|
<li class="substepexpand"><span>For system role, select <span class="uicontrol">Both systems are hosts</span>.</span></li>
|
||
|
<li class="substepexpand"><span>Go to the <span class="uicontrol">Policy</span> page. Select the data
|
||
|
policy you created in the step<span class="uicontrol">Configure the data policy</span>, <samp class="codeph">l2tpremoteuser</samp>,
|
||
|
from the <span class="uicontrol">Data policy</span> drop-down list.</span></li>
|
||
|
<li class="substepexpand"><span>Select <span class="uicontrol">Local system initiates connection</span> to
|
||
|
indicate that only iSeries-A can initiate connections with iSeries-B.</span></li>
|
||
|
<li class="substepexpand"><span>Go to the <span class="uicontrol">Connections</span> page. Select <span class="uicontrol">Generate
|
||
|
the following policy filter rule for this group</span>. Click <span class="uicontrol">Edit</span> to
|
||
|
define the parameters of the policy filter.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">Policy Filter- Local Addresses</span> page,
|
||
|
select <span class="uicontrol">Key Identifier</span> for the identifier type.</span></li>
|
||
|
<li class="substepexpand"><span>For the identifier, select the key identifier, <samp class="codeph">thisisthekeyid</samp>,
|
||
|
that you defined in the IKE policy.</span></li>
|
||
|
<li class="substepexpand"><span>Go the <span class="uicontrol">Policy Filter - Remote Addresses</span> page.
|
||
|
Select <span class="uicontrol">IP version 4 address</span> from the <span class="uicontrol">Identifier
|
||
|
type</span> drop-down list.</span></li>
|
||
|
<li class="substepexpand"><span>Enter <samp class="codeph">205.13.237.6</samp> in the <span class="uicontrol">Identifier</span> field.</span></li>
|
||
|
<li class="substepexpand"><span>Go to the <span class="uicontrol">Policy Filter - Services</span> page.
|
||
|
Enter <samp class="codeph">1701</samp> in the <span class="uicontrol">Local Port</span> and <span class="uicontrol">Remote
|
||
|
Port</span> fields. Port 1701 is the well-known port for L2TP.</span></li>
|
||
|
<li class="substepexpand"><span>Select <span class="uicontrol">UDP</span> from the <span class="uicontrol">Protocol</span> drop-down
|
||
|
list.</span></li>
|
||
|
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to return to the <span class="uicontrol">Connections</span> page.</span></li>
|
||
|
<li class="substepexpand"><span>Go to the <span class="uicontrol">Interfaces</span> page. Select any
|
||
|
line or PPP profile to which this group will apply. You have not created the
|
||
|
PPP profile for this group yet. After you do so, you will need to edit the
|
||
|
properties of this group so that the group applies to the PPP profile you
|
||
|
create in the next step.</span></li>
|
||
|
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to create the dynamic-key group,
|
||
|
l2tptocorp.</span></li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
<li><span><span class="uicontrol">Configure the dynamic-key connection</span></span><ol type="a"><li class="substepexpand"><span>From the VPN interface, expand <span class="uicontrol">By Group</span>.
|
||
|
This displays a list of all dynamic-key groups you have configured on iSeries-A.</span> </li>
|
||
|
<li class="substepexpand"><span>Right-click <span class="uicontrol">l2tptocorp</span> and select <span class="uicontrol">New
|
||
|
Dynamic-Key Connection</span>.</span></li>
|
||
|
<li class="substepexpand"><span>On the <span class="uicontrol">General</span> page, specify an optional
|
||
|
description for the connection.</span></li>
|
||
|
<li class="substepexpand"><span>For the remote key server, select <span class="uicontrol">Version 4 IP address</span> for
|
||
|
the identifier type.</span></li>
|
||
|
<li class="substepexpand"><span>Select <samp class="codeph">205.13.237.6</samp> from the <span class="uicontrol">IP
|
||
|
address</span> drop-down list.</span></li>
|
||
|
<li class="substepexpand"><span>Deselect <span class="uicontrol">Start on-demand</span>.</span></li>
|
||
|
<li class="substepexpand"><span>Go to the <span class="uicontrol">Local Addresses</span> page. Select <span class="uicontrol">Key
|
||
|
identifier</span> for the identifier type and then select <samp class="codeph">thisisthekeyid</samp> from
|
||
|
the <span class="uicontrol">Identifier</span> drop-down list.</span></li>
|
||
|
<li class="substepexpand"><span>Go to the <span class="uicontrol">Remote Addresses</span> page. Select <span class="uicontrol">IP
|
||
|
version 4 address</span> for the identifier type.</span></li>
|
||
|
<li class="substepexpand"><span>Enter <samp class="codeph">205.13.237.6</samp> in the <span class="uicontrol">Identifier</span> field.</span></li>
|
||
|
<li class="substepexpand"><span>Go to the <span class="uicontrol">Services</span> page. Enter <samp class="codeph">1701</samp> in
|
||
|
the <span class="uicontrol">Local Port</span> and <span class="uicontrol">Remote Port</span> fields.
|
||
|
Port 1701 is the well-known port for L2TP.</span></li>
|
||
|
<li class="substepexpand"><span>Select <span class="uicontrol">UDP</span> from the <span class="uicontrol">Protocol</span> drop-down
|
||
|
list</span></li>
|
||
|
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to create the dynamic-key connection.</span></li>
|
||
|
</ol>
|
||
|
</li>
|
||
|
</ol>
|
||
|
</div>
|
||
|
<div>
|
||
|
<div class="familylinks">
|
||
|
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajaremoteuser.htm" title="In this scenario, you learn how to setup a connection between a branch office host and a corporate office that uses L2TP protected by IPSec. The branch office has a dynamically assigned IP address, while the corporate office has a static, globally routable IP address.">Scenario: Protect an L2TP voluntary tunnel with IPSec</a></div>
|
||
|
<div class="nextlink"><strong>Next topic:</strong> <a href="rzajaconfigureapppconnection.htm">Configure a PPP connection profile and virtual line on iSeries-A</a></div>
|
||
|
</div>
|
||
|
</div>
|
||
|
</body>
|
||
|
</html>
|