Configuring a policy filter rule

 

Use this information to learn how to edit your policy filter rules.

Complete this task only if you have specified that you do not want VPN to generate your policy filter rule automatically.

The policy filter rule (a rule where action=IPSEC) defines which addresses, protocols, and ports can use the VPN. It also identifies the policy that will be applied to traffic in the VPN connection. To configure a policy filter rule, follow these steps:

If you just configured the pre-IPSec rule (for dynamic connections, only) the Packet Rules editor will still be open; go to step 4.

  1. In iSeries™ Navigator, expand your system > Network > IP Policies.

  2. Right-click Packet Rules and select Rules Editor. This opens the Packet Rules editor, which allows you to create or edit filter and NAT rules for your system.

  3. On the Welcome window, select Create a new packet rules file and click OK.
  4. From the Packet Rules editor select Insert > Filter.

  5. On the General page, specify a set name for your VPN filter rules. IBM recommends that you create at least three different sets: one for your pre-IPSec filter rules, one for your policy filter rules, and one for miscellaneous PERMIT and DENY filter rules. For example, policyfilters

  6. In the Action field, select IPSEC from the drop-down list. The Direction field defaults to OUTBOUND and you cannot change it. Although this field defaults to OUTBOUND, it is actually bi-directional. OUTBOUND displays to clarify the semantics of the input values. For example, source values are local values, and destination values are remote values.

  7. For Source address name, select = in the first field, and then enter the IP address of the local data endpoint in the second field. You can also specify a range of IP addresses or an IP address plus a subnet mask after you define them by using the Define Addresses function.

  8. For Destination address name, select = in the first field, and then enter the IP address of the remote data endpoint in the second field. You can also specify a range of IP addresses or an IP address plus a subnet mask after you define them by using the Define Addresses function.

  9. In the Journaling field, specify what level of journaling you require.

  10. In the Connection name field, select the connection definition to which these filter rules apply.

  11. (optional) Enter a description.

  12. On the Services page, select Service. This enables the Protocol, Source port, and Destination port fields.

  13. In the Protocol field, Source port, and Destination port fields, select the appropriate value for the traffic. Or, you can select the asterisk (*) from the drop-down list. This allows any protocol using any port to use the VPN.

  14. Click OK.

The next step is to define the interface to which these filter rules apply.

When you add filter rules for an interface, the system automatically adds a default DENY rule for that interface. This means that any traffic not explicitly permitted is denied. You cannot see or change this rule. As a result, you may find that connections that previously worked mysteriously fail after you activate your VPN packet rules. If you want to allow traffic other than VPN on the interface, add explicit PERMIT rules to do so.

 

Parent topic:

Configuring VPN packet rules

Related concepts
Configuring VPN packet rules

Related tasks
Configuring a manual connection Configuring the pre-IPSec filter rule Defining an interface for the VPN filter rules