Scenario: Basic business to business connection

 

In this scenario, your company wants to establish a VPN between a client workstation in your manufacturing division and a client workstation in the supply department of your business partner.

 

Situation

Many companies use frame relay or leased lines to provide secure communications with their business partners, subsidiaries, and vendors. Unfortunately, these solutions are often expensive and geographically limiting. VPN offers an alternative for companies who want private, cost-effective communications.

Suppose you are a major parts supplier to a manufacturer. Since it is critical that you have the specific parts and quantities at the exact time required by the manufacturing firm, you always need to be aware of the manufacturer's inventory status and production schedules. Perhaps you handle this interaction manually today, and find it time consuming, expensive and even inaccurate at times. You want to find an easier, faster, and more effective way to communicate with your manufacturing company. However, given the confidentiality and time-sensitive nature of the information you exchange, the manufacturer does not want to publish it on its corporate Web site or distribute it monthly in an external report. By exploiting the public Internet, you can easily establish a virtual private network (VPN) to meet the needs of both companies.

 

Objectives

In this scenario, MyCo wants to establish a VPN between a host in its parts division and a host in the manufacturing department of one their business partners,TheirCo.

Because the information these two companies share is highly confidential, it must be protected while it travels across the Internet. In addition, data must not flow in the clear within either company's networks because each network considers the other untrusted. In other words, both companies require end-to-end authentication, integrity, and encryption.

The intent of this scenario is to introduce, by example, a simple host-to-host VPN configuration. In a typical network environment, you will also need to consider firewall configuration, IP addressing requirements, and routing, among others.

 

Details

The following figure illustrates the network characteristics of MyCo and TheirCo:

MyCo Supply Network

  • System-A runs on OS/400® Version 5 Release 2 (V5R2) or later.

  • System-A has an IP address of 10.6.1.1. This is the connection endpoint, as well as the data endpoint. That is, System-A performs IKE negotiations and applies IPSec to incoming and outgoing IP datagrams and is also the source and destination for data that flows through the VPN.

  • System-A is in subnet 10.6.0.0 with mask 255.255.0.0

  • Only System-A can initiate the connection with System-C.

TheirCo Manufacturing Network

  • System-C runs on OS/400 Version 5 Release 2 (V5R2) or later.

  • System-C has an IP address of 10.196.8.6. This is the connection endpoint, as well as the data endpoint. That is, System-A performs IKE negotiations and applies IPSec to incoming and outgoing IP datagrams and is also the source and destination for data that flows through the VPN.

  • System-C is in subnet 10.196.8.0 with mask 255.255.255.0

 

Configuration tasks

You must complete each of these tasks to configure the business to business connection described in this scenario:

Before you start these tasks verify the TCP/IP routing to ensure that the two gateway systems can communicate with each other across the Internet. This ensures that hosts on each subnet route properly to their respective gateway for access to the remote subnet.

  1. Completing the planning worksheets
    The planning checklists illustrate the type of information you need before you begin configuring the VPN. All answers on the prerequisite checklist must be YES before you proceed with VPN setup.
  2. Configuring VPN on System-A
    Complete the following steps to configure a VPN connection on System-A.
  3. Configuring VPN on System-C
    Follow the same steps you used to configure VPN on System-A , changing IP addresses as necessary. Use your planning worksheets for guidance.
  4. Activating packet rules
    The VPN wizard automatically creates the packet rules that this connection requires to work properly. However, activate them on both systems before you can start the VPN connection.
  5. Starting a connection
    After you have configured your VPN connection you need to start your VPN connection.
  6. Testing a connection
    After you finish configuring both systems and you have successfully started the VPN servers, test the connectivity to ensure that the remote subnets can communicate with each other.

 

Parent topic:

VPN scenarios

Related concepts
TCP/IP routing and workload balancing