Scenario: Basic branch office connection

In this scenario, your company wants to establish a VPN between the subnets of two remote departments through a pair of iSeries™ computers acting as VPN gateways.

Situation

Suppose your company wants to minimize the costs incurred from communicating to and among its own branches. Today, your company uses frame relay or leased lines, but you want to explore other options for transmitting internal confidential data that are less expensive, more secure, and globally accessible. By exploiting the Internet, you can easily establish a virtual private network (VPN) to meet the needs of your company.

Your company and its branch office both require VPN protection across the Internet, but not within their respective intranets. Because you consider the intranets trusted, the best solution is to create a gateway-to-gateway VPN. In this case, both gateways are connected directly to the intervening network. In other words, they are border or edge systems, which are not protected by firewalls. This example serves as a useful introduction to the steps involved in setting up a basic VPN configuration. When this scenario refers to the term, Internet, it refers to the intervening network between the two VPN gateways, which might be the company's own private network or the public Internet.

Important: This scenario shows the iSeries security gateways attached directly to the Internet. The absence of a firewall is intended to simplify the scenario. It does not imply that the use of a firewall is not necessary. In fact, consider the security risks involved any time you connect to the Internet.

Advantages

This scenario has the following advantages:

Using the Internet or an existing intranet reduces the cost of private lines between remote subnets.
Using the Internet or an existing intranet reduces the complexity of installing and maintaining private lines and associated equipment.
Using the Internet allows remote locations to connect to almost anywhere in the world.
Using VPN provides users access to all servers and resources on either side of the connection just as though they were connected using a leased line or wide area network (WAN) connection.
Using industry standard encryption and authentication methods ensures the security of sensitive information passed from one location to another.
Exchanging your encryption keys dynamically and regularly simplifies setup and minimizes the risk of your keys being decoded and security being breached.
Using private IP addresses in each remote subnet makes it unnecessary to allocate valuable public IP addresses to each client.

Objectives

In this scenario, MyCo, Inc. wants to establish a VPN between the subnets of its Human Resources and Finance departments through a pair of iSeries servers. Both servers will act as VPN gateways. In terms of VPN configurations, a gateway performs key management and applies IPSec to the data that flows through the tunnel. The gateways are not the data endpoints of the connection.

The objectives of this scenario are as follows:

The VPN must protect all data traffic between the Human Resources department's subnet and the Finance department's subnet.
Data traffic does not require VPN protection once it reaches either of the department's subnets.
All clients and hosts on each network have full access to the other's network, including all applications.
The gateway servers can communicate with each other and access each other's applications.

Details

The following figure illustrates the network characteristics of MyCo.

Human Resources Department

iSeries-A runs on OS/400^® Version 5 Release 2 (V5R2) or later and acts as the Human Resources Department's VPN gateway.
Subnet is 10.6.0.0 with mask 255.255.0.0. This subnet represents the data endpoint of the VPN tunnel at the MyCo Rochester site.
iSeries-A connects to the Internet with IP address 204.146.18.227. This is the connection endpoint. That is, iSeries-A performs key management and applies IPSec to incoming and outgoing IP datagrams.
iSeries-A connects to its subnet with IP address 10.6.11.1.
iSeries-B is a production server in the Human Resources subnet that runs standard TCP/IP applications.

Finance Department

iSeries-C runs on OS/400 Version 5 Release 2 (V5R2) or later and acts as the Finance Department's VPN gateway.
Subnet is 10.196.8.0 with mask 255.255.255.0. This subnet represents the data endpoint of the VPN tunnel at the MyCo Endicott site.
iSeries-C connects to the Internet with IP address 208.222.150.250. This is the connection endpoint. That is, iSeries-C performs key management and applies IPSec to incoming and outgoing IP datagrams.
iSeries-C connects to its subnet with IP address 10.196.8.5.

Configuration tasks

You must complete each of these tasks to configure the branch office connection described in this scenario:

Note: Before you start these tasks verify the TCP/IP routing to ensure that the two gateway servers can communicate with each other across the Internet. This ensures that hosts on each subnet route properly to their respective gateway for access to the remote subnet.