Scenario: Basic business to business connection

In this scenario, your company wants to establish a VPN between a client workstation in your manufacturing division and a client workstation in the supply department of your business partner.

Situation

Many companies use frame relay or leased lines to provide secure communications with their business partners, subsidiaries, and vendors. Unfortunately, these solutions are often expensive and geographically limiting. VPN offers an alternative for companies who want private, cost-effective communications.

Suppose you are a major parts supplier to a manufacturer. Since it is critical that you have the specific parts and quantities at the exact time required by the manufacturing firm, you always need to be aware of the manufacturer's inventory status and production schedules. Perhaps you handle this interaction manually today, and find it time consuming, expensive and even inaccurate at times. You want to find an easier, faster, and more effective way to communicate with your manufacturing company. However, given the confidentiality and time-sensitive nature of the information you exchange, the manufacturer does not want to publish it on its corporate Web site or distribute it monthly in an external report. By exploiting the public Internet, you can easily establish a virtual private network (VPN) to meet the needs of both companies.

Objectives

In this scenario, MyCo wants to establish a VPN between a host in its parts division and a host in the manufacturing department of one their business partners,TheirCo.

Because the information these two companies share is highly confidential, it must be protected while it travels across the Internet. In addition, data must not flow in the clear within either company's networks because each network considers the other untrusted. In other words, both companies require end-to-end authentication, integrity, and encryption.

Important: The intent of this scenario is to introduce, by example, a simple host-to-host VPN configuration. In a typical network environment, you will also need to consider firewall configuration, IP addressing requirements, and routing, among others.

Details

The following figure illustrates the network characteristics of MyCo and TheirCo:

MyCo Supply Network

iSeries-A runs on OS/400^® Version 5 Release 2 (V5R2) or later.
iSeries-A has an IP address of 10.6.1.1. This is the connection endpoint, as well as the data endpoint. That is, iSeries-A performs IKE negotiations and applies IPSec to incoming and outgoing IP datagrams and is also the source and destination for data that flows through the VPN.
iSeries-A is in subnet 10.6.0.0 with mask 255.255.0.0
Only iSeries-A can initiate the connection with iSeries-C.

TheirCo Manufacturing Network

iSeries-C runs on OS/400 Version 5 Release 2 (V5R2) or later.
iSeries-C has an IP address of 10.196.8.6. This is the connection endpoint, as well as the data endpoint. That is, iSeries-A performs IKE negotiations and applies IPSec to incoming and outgoing IP datagrams and is also the source and destination for data that flows through the VPN.
iSeries-C is in subnet 10.196.8.0 with mask 255.255.255.0

Configuration tasks

You must complete each of these tasks to configure the business to business connection described in this scenario:

Note: Before you start these tasks verify the TCP/IP routing to ensure that the two gateway servers can communicate with each other across the Internet. This ensures that hosts on each subnet route properly to their respective gateway for access to the remote subnet.