Configure IPSec

To configure IPSec, or to change IPSec credentials, do the following steps:

1. This step is required if you haven't already generated the first pre-shared key. You can also perform this step at any time to change the pre-shared key: With the server shut down (NWSD varied off), use the procedure described in Change connection security configuration properties to change the properties of the connection security configuration for the server.
   • Go to the IP Security Rules tab.
   • Click the Add button and select the Generate pre-shared key once option.
   • Click OK to add the new IP security rule to the table and click OK again to save the connection security configuration and cause the pre-shared key to be generated.
     Note:
     You must have security administrator (*SECADM) special authority to create, change, or display a pre-shared key.
2. Use the procedure described in Display connection security configuration properties to display the properties of the connection security configuration for the server.
   • Go to the IP Security Rules tab.
   • Note the first row in the table value, which contains a random pre-shared key generated by i5/OS™. This information will be used in step 5.
3. Using iSeries Navigator:
   • Select Integrated Server Administration -> Servers.
   • Right-click the integrated server and select Properties.
   • Go to the iSCSI Security tab.
   • For the Default IP security rule, select 1, then click OK to save the change. This tells i5/OS to do the following things: wherever a Default value appears for an IP security rule in the server properties, use the first value in the connection security configuration (specified by the server's Connection security configuration value on the iSCSI Security tab of the server properties).
4. This step is required only if you don't want IPSec enabled on all of the server's NWSD's connections, or if remote interface rules in the server properties have been changed from the Default value.

   Using iSeries Navigator:

   • Select Integrated Server Administration -> Servers.
   • Right-click the integrated server and select Properties.
   • Go to the Storage Paths tab.
   • Each Remote Interface IP Security Rule corresponds to an iSCSI HBA pair consisting of an iSCSI HBA for iSeries port and a hosted system iSCSI HBA port.

     Repeat the following for all of the Remote Interface IP Security Rule columns on the Storage Paths and the Virtual Ethernet Paths tabs.

     Note:
     Any NWSH used more than once in an NWSD must have identical sets of Remote Interface IP Security Rule values in each of the storage or virtual Ethernet paths that reference it.

     Set each Remote Interface IP Security Rule to either None or Default, whichever is appropriate for the way you are using that particular iSCSI HBA port pair:

     • Use None if you want network traffic to flow in the clear between the iSCSI HBA ports, regardless of the ability of either iSCSI HBA to support IPSec.
     • Use Default if the corresponding iSCSI HBA for iSeries supports IPSec, and you want to allow only encrypted traffic (or no traffic if the hosted system's iSCSI HBA port does not support IPSec).
5. This step is required only if the Delivery method in the remote system configuration is Manually configured on remote system or Dynamically delivered to remote system via CHAP: Upon the next server start (NWSD vary on), watch the hosted system's console for a prompt to press CTRL-Q. Immediately on seeing the prompt, press CTRL-Q. In the CTRL-Q utility, select the adapter that is configured to boot the hosted OS. Enter the pre-shared key from the connection security configuration properties into the pre-shared key of the target security configuration panel. See Diskless booting over iSCSI more information about the CTRL-Q utility.
   Note:
   Any non-boot iSCSI HBAs in the hosted system are automatically configured from the i5/OS configuration.