Configuring the pre-IPSec filter rule

 

This information can help you create filter rules for inbound and outbound traffic.

Complete this task only if you have specified that you do not want VPN to generate your policy filter rule automatically.

A pair of Internet Key Exchange (IKE) servers dynamically negotiate and refresh keys. IKE uses the well-known port, 500. For IKE to work properly, you need to allow UDP datagrams over port 500 for this IP traffic. To do this, you will create a pair of filter rules; one for inbound traffic and one for outbound traffic, so that your connection can dynamically negotiate keys to protect the connection:

  1. In iSeries™ Navigator, expand your system > Network > IP Policies.

  2. Right-click Packet Rules and select Rules Editor. This opens the Packet Rules editor, which allows you to create or edit filter and NAT rules for your system.

  3. On the Welcome window, select Create a new packet rules file and click OK.

  4. From the Packet Rules editor select Insert > Filter.

  5. On the General page, specify a set name for your VPN filter rules. IBM recommends that you create at least three different sets: one for your pre-IPSec filter rules, one for your policy filter rules, and one for miscellaneous PERMIT and DENY filter rules. Name the set that contains your pre-IPSec filter rules with a prefix of preipsec. For example, preipsecfilters.

  6. In the Action field, select PERMIT from the drop-down list.

  7. In the Direction field, select OUTBOUND from the drop-down list.

  8. In the Source address name field, select = from the first drop-down list and then enter the IP address of the local key server in the second field. You specified the IP address of the local key server in the IKE policy.

  9. In the Destination address name field, select = from the first drop-down list and then enter the IP address of the remote key server in the second field. You also specified the IP address of the remote key server in the IKE policy.

  10. On the Services page, select Service. This enables the Protocol, Source port, and Destination port fields.

  11. In the Protocol field, select UDP from the drop-down list.

  12. For Source port, select = in the first field, then enter 500 in the second field.

  13. Repeat the previous step for Destination port.

  14. Click OK.

  15. Repeat these steps to configure the INBOUND filter. Use the same set name and reverse addresses as necessary.

A less secure, but easier option for permitting IKE traffic through the connection, is to configure only one pre-IPSec filter, and use wildcard values (*) in the Direction, Source address name, and Destination address name fields.

The next step is to configure a policy filter rule to define what IP traffic the VPN connection protects.

 

Parent topic:

Configuring VPN packet rules

Related concepts
Configuring VPN packet rules

Related tasks
Configuring a policy filter rule