Troubleshooting
Problem
This document provides detailed configuration of a Host to Host Responder VPN configuration on the IBM i system. This document is for a configuration where the IP address of the initiating VPN client is unknown.
Resolving The Problem
The following steps allow you to configure the Responder side configuration of a Host-to-Host VPN tunnel from any IP address. This configuration will
cause all traffic over this TCP/IP interface to the IBM i system to be authenticated and encrypted.
Note: This configuration requires that you have a TCP/IP interface that is dedicated to this VPN traffic. You must also perform this configuration by connecting to a TCP/IP interface that is not the IP address you are specifying in this configuration. You must have this additional interface because you cannot add PERMIT IP filter rules ahead of your VPN IPSEC filter rule.
To configure the Responder side configuration of a host-to-host VPN tunnel from any IP address, do the following:
Step 1: From System i Navigator, expand your system in the left pane, and sign in, if required. Expand the Network container. Expand the IP Policies
container.
Step 2: Right-click on Virtual Private Networking, and select New Connection. This will invoke the VPN Connection Wizard, and you will see the
following Welcome screen. Click Next:
Step 3: Give your VPN connection a name and a description, and click Next:
Step 4: Specify the type of VPN tunnel you would like to create. For this example, select Connect your host to another host, and click Next.
Step 5: Specify that you want to create a new Internet Key Exchange (IKE) policy. In this example, we use Balance security and performance. Then,
click Next:
Step 6: Specify the Identifier type of IP version 4 address, then specify the IP address that identifies your local system. This is the IP address on this
system that you want your VPN tunnel to use. Then, click Next.
Step 7: Specify the identifier that identifies the remote system. If this was a basic host-to-host configuration, select the IP address of the system that is
connecting to this one. However, we want this VPN configuration to respond to any client connecting to the system. To do this, you should select
an Identifier type of Any IP address and a single pre-shared key that each of the clients must be configured to use. The pre-shared key should be
a string of letters and digits that cannot be easily compromised. Then, click Next.
Step 8: Because we want all traffic IPSECed, we should leave the following screen defaulted as shown below. Then, click Next.
Step 9: Specify settings used to create the Data Policy for this VPN tunnel. Again, we want to create a new policy, and specify Balance security and
performance. Then, click Next:
Step 10: Specify the line that this VPN traffic will be received on and sent from. This should be the line that is associated with the IP address selected in
Step 6. Click the Apply Connection checkbox next to the appropriate line. Then, click Next.
Step 11: This takes you to the summary screen. You can review your configuration for any inaccuracies. No VPN configuration is created until you click
Finish on this screen.
Step 12: The Activate Policy Filters window will come up at this time. Select Yes, activate the generated policy filters, then Permit all other
traffic. Then, click OK.
Note: Again, you must have another TCP/IP interface to handle your non-VPN traffic. You must have in-depth knowledge of the TCP/IP routing for your system to ensure that this step does not affect existing traffic.When you select the Yes option here, we recommend you do this at a non-production time and at a time where you have access to the system console. In this example, all IP traffic being received with a destination IP address of 1.2.3.4 and all IP traffic being sent from the system with this IP address as the source will attempt to be IPSECed to the system. If you click OK on the window below and your iSeries Navigator session hangs,your filter rules are now blocking your PC from connecting to the system. The quick fix for this is to go to the system console and run the following CL command: RMVTCPTBL *ALL
The configuration that is created by this wizard is shown in detail in the table below. The remote system must be configured to mirror these configuration settings.
Configuration Parameter | Configuration Setting |
Pre-shared Key | a1rty45ui8rtghm |
P1 Local ID Type | IPv4 Address |
P1 Local ID | 1.2.3.4 |
P1 Remote ID Type | Any IPv4 Address |
P1 Diffie-Hellman Group | 1 |
IKE Mode | Main |
P1 Transforms | DES/MD5, DES/SHA, 3DES/MD5, 3DES/SHA |
P1 Key Expiration | 1 day |
P2 Local ID Type | IPv4 Address |
P2 Local ID | 1.2.3.4 |
P2 Remote ID Type | Any IPv4 Address |
P2 Diffie-Hellman Group | 1 |
P2 Encapsulation Mode | Transport |
P2 Transforms | RC4/MD5, DES/MD5, 3DES/MD5, RC4/SHA, DES/SHA, 3DES/SHA |
P2 Key Lifetime | 1 Hour |
Nothing must be done to "start" the VPN connection on the IBM System i system. The connection will be available for remote systems to connect to at all times. The configuration settings in the above table may not completely match the configurations for the remote client. If this is the case, change the configurations for the remote client to reflect these. Or, use iSeries Navigator to make the necessary changes to the System i configuration.
Historical Number
457095155
Was this topic helpful?
Document Information
Modified date:
18 December 2019
UID
nas8N1014246