Configuring VPN

 

After planning for your VPN, you can begin configuring it. This topic provides you with an overview of what you can do with VPN and how to do it. The VPN interface provides you with several different ways to configure your VPN connections. Keep reading to help you decide which type of connection to configure and how to do it.

 

Parent topic:

Virtual Private Networking (VPN)

Related concepts
Planning for VPN

 

What type of connection should I configure?

A dynamic connection is one that dynamically generates and negotiates the keys that secure your connection, while it is active, by using the Internet Key Exchange (IKE) protocol. Dynamic connections provide an extra level of security for the data that flows across it because the keys change, automatically, at regular intervals. Consequently, an attacker is less likely to capture a key, have time to break it, and use it to divert or capture the traffic the key protects.

A manual connection, however, does not provide support for IKE negotiations, and consequently, automatic key management. Further, both ends of the connection require you to configure several attributes that must match exactly. Manual connections use static keys that do not refresh or change while the connection is active. You must stop a manual connection to change its associated key. If you consider this a security risk, you may want to create a dynamic connection instead.

 

How do I configure a dynamic VPN connection?

VPN is actually a group of configuration objects that define the characteristics of a connection. A dynamic VPN connection requires each of these objects to work properly. Follow the links below for specific information about how to configure each of the VPN configuration objects:

Tip: Configure connections with the New Connection wizard

In general, you can use the Connection wizard to create all of your dynamic connections. The wizard automatically creates each of the configuration objects VPN requires to work properly, including the packet rules. If you specify that you want the wizard to activate the VPN packet rules for you, you can skip to step six below, Start the connection. Otherwise, after the wizard finishes configuring your VPN, activate the packet rules and then you can start the connection.

If you choose not to use the wizard to configure your dynamic VPN connections, follow these steps to complete the configuration:

  1. Configure VPN security policies

    You must define VPN security policies for all of your dynamic connections. The Internet Key Exchange policy and data policy dictate how IKE protects its phase 1 and phase 2 negotiations.

  2. Configure secure connections

    Once you have defined the security policies for a connection, then configure the secure connection. For dynamic connections, the secure connection object includes a dynamic-key group and a dynamic-key connection. The dynamic-key group defines the common characteristics of one or more VPN connections, while the dynamic-key connection defines the characteristics of individual data connections between pairs of endpoints. The dynamic-key connection exists within the dynamic-key group.

    You only need to complete the next two steps, Configure packet rules and Define an interface for the rules, if you select The policy filter rule will be defined in Packet Rules option on the Dynamic-Key Group - Connections page in the VPN interface. Otherwise, these rules are created as part of your VPN configurations and are applied to the interface you specify.

    IBM recommends that you always allow the VPN interface to create your policy filter rules for you. Do this by selecting the Generate the following policy filter for this group option on the Dynamic-Key Group - Connections page.

  3. Configure packet rules

    After you complete your VPN configurations, create and apply filter rules that allow data traffic to flow through the connection. The VPN pre-IPSec rules permit all IKE traffic on the specified interfaces so that IKE can negotiate connections. The policy filter rule defines which addresses, protocols, and ports can use the associated new dynamic-key group.

    If you are migrating from either V4R4 or V4R5 and have VPN connections and policy filters you want to continue using with the current release, review the topic, Migrate policy filters to the current release to ensure that your old policy filters and new policy filters will work together as you intend.

  4. Define an interface for the rules

    After you configure the packet rules and any other rules that you need to enable your VPN connection, define an interface to which to apply them.

  5. Activate packet rules

    After you define an interface for your packet rules, activate them before you can start the connection.

  6. Start the connection

    Complete this task to start your connections.

 

How do I configure a manual VPN connection?

Just as the name suggests, a manual connection is one where configure all of your VPN properties by hand, including inbound and outbound keys. Follow the links below for specific information about how to configure a manual connection:

  1. Configure manual connections

    Manual connections define the characteristics of a connection including what security protocols and the connection and data endpoints.

    You only need to complete the next two steps, Configure policy filter rule and Define an interface for the rules, if you select The policy filter rule will be defined in Packet Rules option on the Manual Connection - Connection page in the VPN interface. Otherwise, these rules are created as part of your VPN configurations.

    IBM recommends that you always allow the VPN interface to create your policy filter rules for you. Do this by selecting the Generate a policy filter that matches the data endpoints option on the Manual Connection - Connection page.

  2. Configure policy filter rule

    After you configure the attributes of the manual connection, create and apply a policy filter rule that allows data traffic to flow through the connection. The policy filter rule defines which addresses, protocols, and ports can use the associated connection.

  3. Define an interface for the rules

    After you configure the packet rules and any other rules that you need to enable your VPN connection, define an interface to which to apply them.

  4. Activate packet rules

    After you define an interface for your packet rules, activate them before you can start the connection.

  5. Start the connection

    Complete this task to start connections that are initiated locally.