ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaja_5.4.0.1/rzajacreatevpncon.htm

199 lines
14 KiB
HTML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Configure VPN" />
<meta name="abstract" content="After planning for your VPN, you can begin configuring it. This topic provides you with an overview of what you can do with VPN and how to do it." />
<meta name="description" content="After planning for your VPN, you can begin configuring it. This topic provides you with an overview of what you can do with VPN and how to do it." />
<meta name="DC.Relation" scheme="URI" content="rzajagetstart.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajanewwiz.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajavpnpolicy.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajadefseccon.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajamancon.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajapolicyfilter.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajatfc.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaconfigureesn.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajastartdyncon.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajavpnplan.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajacreatevpncon" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configure VPN</title>
</head>
<body id="rzajacreatevpncon"><a name="rzajacreatevpncon"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configure VPN</h1>
<div><p>After planning for your VPN, you can begin configuring it. This
topic provides you with an overview of what you can do with VPN and how to
do it.</p>
<div class="section">The VPN interface provides you with several different ways to configure
your VPN connections. Keep reading to help you decide which type of connection
to configure and how to do it.</div>
</div>
<div>
<ul class="ullinks">
<li class="ulchildlink"><strong><a href="rzajanewwiz.htm">Configure VPN connections with the New Connection wizard</a></strong><br />
The New Connection wizard allows you to create a virtual private network (VPN) between any combination of hosts and gateways.</li>
<li class="ulchildlink"><strong><a href="rzajavpnpolicy.htm">Configure VPN security policies</a></strong><br />
After you determine how you will use your VPN you must define your VPN security policies.</li>
<li class="ulchildlink"><strong><a href="rzajadefseccon.htm">Configure the VPN secure connection</a></strong><br />
After you have configured the security policies for your connection, you must then configure the secure connection.</li>
<li class="ulchildlink"><strong><a href="rzajamancon.htm">Configure a manual connection</a></strong><br />
Just as the name suggests, a manual connection is one where you must configure all of your VPN properties by hand.</li>
<li class="ulchildlink"><strong><a href="rzajapolicyfilter.htm">Configure VPN packet rules</a></strong><br />
If you are creating a connection for the first time, allow VPN to automatically generate the VPN packet rules for you. You can do this by either using the New Connection wizard or the VPN properties pages to configure your connection.</li>
<li class="ulchildlink"><strong><a href="rzajatfc.htm">Configure Traffic Flow Confidentiality (TFC)</a></strong><br />
If your data policy is configured for Tunnel mode you can use Traffic Flow Confidentiality (TFC) to conceal the actual length of the data packets transferred over a VPN connection.</li>
<li class="ulchildlink"><strong><a href="rzajaconfigureesn.htm">Configure Extended Sequence Number (ESN)</a></strong><br />
You can use Extended Sequence Number (ESN) to increase the data transfer rate for a VPN connection.</li>
<li class="ulchildlink"><strong><a href="rzajastartdyncon.htm">Start a VPN connection</a></strong><br />
Complete this task to start connections you will initiate locally.</li>
</ul>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajagetstart.htm" title="A virtual private network (VPN) allows your company to securely extend its private intranet over the existing framework of a public network, such as the Internet. With VPN, your company can control network traffic while providing important security features such as authentication and data privacy.">Virtual Private Networking (VPN)</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajavpnplan.htm" title="The first step to successfully using VPN is planning. This topic provides information about migrating from prior releases, setup requirements, and links to a planning advisor that will generate a planning worksheet that is customized to your specifications.">Plan for VPN</a></div>
</div>
</div><div class="nested1" xml:lang="en-us" id="whattypeconconfigure"><a name="whattypeconconfigure"><!-- --></a><h2 class="topictitle2">What type of connection should I configure?</h2>
<div><div class="section"><p>A <a href="#dynamic"> dynamic</a> connection
is one that dynamically generates and negotiates the keys that secure your
connection, while it is active, by using the Internet Key Exchange (IKE) protocol.
Dynamic connections provide an extra level of security for the data that flows
across it because the keys change, automatically, at regular intervals. Consequently,
an attacker is less likely to capture a key, have time to break it, and use
it to divert or capture the traffic the key protects.</p>
<p>A <a href="#manual"> manual</a> connection, however, does not provide
support for IKE negotiations, and consequently, automatic key management.
Further, both ends of the connection require you to configure several attributes
that must match exactly. Manual connections use static keys that do not refresh
or change while the connection is active. You must stop a manual connection
to change its associated key. If you consider this a security risk, you may
want to create a dynamic connection instead.</p>
</div>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="dynamic"><a name="dynamic"><!-- --></a><h2 class="topictitle2">How do I configure a dynamic VPN connection?</h2>
<div><div class="section"><p>VPN is actually a group of configuration objects that define the
characteristics of a connection. A dynamic VPN connection requires each of
these objects to work properly. Follow the links below for specific information
about how to configure each of the VPN configuration objects:</p>
<div class="tip"><span class="tiptitle">Tip:</span> Configure
connections with the New Connection wizard<p>In general, you can use the Connection
wizard to create all of your dynamic connections. The wizard automatically
creates each of the configuration objects VPN requires to work properly, including
the packet rules. If you specify that you want the wizard to activate the
VPN packet rules for you, you can skip to step six below, <em>Start the connection</em>.
Otherwise, after the wizard finishes configuring your VPN, you must activate
the packet rules and then you can start the connection.</p>
</div>
<p>If you
choose not to use the wizard to configure your dynamic VPN connections, follow
these steps to complete the configuration:</p>
</div>
<ol><li class="stepexpand"><span>Configure VPN security policies</span> <p>You must define VPN
security policies for all of your dynamic connections. The Internet Key Exchange
policy and data policy dictate how IKE protects its phase 1 and phase 2 negotiations.</p>
</li>
<li class="stepexpand"><span>Configure secure connections</span> <p>Once you have defined
the security policies for a connection, you must then configure the secure
connection. For dynamic connections, the secure connection object includes
a dynamic-key group and a dynamic-key connection. The <span class="uicontrol">dynamic-key
group</span> defines the common characteristics of one or more VPN connections,
while the <span class="uicontrol">dynamic-key connection</span> defines the characteristics
of individual data connections between pairs of endpoints. The dynamic-key
connection exists within the dynamic-key group.</p>
<div class="note"><span class="notetitle">Note:</span> You only need to
complete the next two steps, <em>Configure packet rules</em> and <em>Define an
interface for the rules</em>, if you select <span class="uicontrol">The policy filter rule
will be defined in Packet Rules</span> option on the <span class="uicontrol">Dynamic-Key
Group - Connections</span> page in the VPN interface. Otherwise, these
rules are created as part of your VPN configurations and are applied to the
interface you specify.</div>
<p>It is recommended that you always allow the
VPN interface to create your policy filter rules for you. Do this by selecting
the <span class="uicontrol">Generate the following policy filter for this group</span> option
on the <span class="uicontrol">Dynamic-Key Group - Connections</span> page.</p>
</li>
<li class="stepexpand"><span>Configure packet rules</span> <p>After you complete your VPN
configurations, you must create and apply filter rules that allow data traffic
to flow through the connection. The VPN <span class="uicontrol">pre-IPSec</span> rules
permit all IKE traffic on the specified interfaces so that IKE can negotiate
connections. The <span class="uicontrol">policy filter</span> rule defines which addresses,
protocols, and ports can use the associated new dynamic-key group.</p>
<p>If
you are migrating from either V4R4 or V4R5 and have VPN connections and policy
filters you want to continue using with the current release, review the topic,
Migrate policy filters to the current release to ensure that your old policy
filters and new policy filters will work together as you intend.</p>
</li>
<li class="stepexpand"><span>Define an interface for the rules</span> <p>After you configure
the packet rules and any other rules that you need to enable your VPN connection,
you must define an interface to which to apply them.</p>
</li>
<li class="stepexpand"><span>Activate packet rules</span> <p>After you define an interface
for your packet rules, you must activate them before you can start the connection.</p>
</li>
<li class="stepexpand"><span>Start the connection</span> <p>Complete this task to start
your connections.</p>
</li>
</ol>
</div>
</div>
<div class="nested1" xml:lang="en-us" id="manual"><a name="manual"><!-- --></a><h2 class="topictitle2">How do I configure a manual VPN connection?</h2>
<div><div class="section">Just as the name suggests, a manual connection is one where you must
configure all of your VPN properties by hand, including inbound and outbound
keys. Follow the links below for specific information about how to configure
a manual connection:</div>
<ol><li class="stepexpand"><span>Configure manual connections</span> <p>Manual connections define
the characteristics of a connection including what security protocols and
the connection and data endpoints.</p>
<div class="note"><span class="notetitle">Note:</span> You only need to complete the
next two steps, <em>Configure policy filter rule</em> and <em>Define an interface
for the rules</em>, if you select <span class="uicontrol">The policy filter rule will be
defined in Packet Rules</span> option on the <span class="uicontrol">Manual Connection
- Connection</span> page in the VPN interface. Otherwise, these rules
are created as part of your VPN configurations.</div>
<p>It is recommended
that you always allow the VPN interface to create your policy filter rules
for you. Do this by selecting the <span class="uicontrol">Generate a policy filter that
matches the data endpoints</span> option on the <span class="uicontrol">Manual Connection
- Connection</span> page.</p>
</li>
<li class="stepexpand"><span>Configure policy filter rule</span> <p>After you configure
the attributes of the manual connection, you must create and apply a policy
filter rule that allows data traffic to flow through the connection. The <span class="uicontrol">policy
filter</span> rule defines which addresses, protocols, and ports can
use the associated connection.</p>
</li>
<li class="stepexpand"><span>Define an interface for the rules</span> <p>After you configure
the packet rules and any other rules that you need to enable your VPN connection,
you must define an interface to which to apply them.</p>
</li>
<li class="stepexpand"><span>Activate packet rules</span> <p>After you define an interface
for your packet rules, you must activate them before you can start the connection.</p>
</li>
<li class="stepexpand"><span>Start the connection</span> <p>Complete this task to start
connections that are initiated locally.</p>
</li>
</ol>
</div>
</div>
</body>
</html>