Planning worksheet for manual connections

 

Complete this worksheet before you configure a manual connection.

Complete this worksheet to assist you in creating your virtual private network (VPN) connections that do not use IKE for key management. Answer each of these questions before you proceed with your VPN setup:

Table 1. System Requirements
Prerequisite checklist Answers
Is your operating system OS/400® V5R2(5722-SS1) or later?
Is the Digital Certificate Manager option (5722-SS1 Option 34) installed?
Is iSeries™ Access for Windows® (5722-XE1) installed?
Is iSeries Navigator installed?
Is the Network subcomponent of iSeries Navigator installed?
Is TCP/IP Connectivity Utilities (5722-TC1) installed?
Did you set the retain server security data (QRETSVRSEC *SEC) system value to 1?
Is TCP/IP configured on your system (including IP interfaces, routes, local host name, and local domain name)?
Is normal TCP/IP communication established between the required endpoints?
Have you applied the latest program temporary fixes (PTFs)?
If the VPN tunnel traverses firewalls or routers that use IP packet filtering, do the firewall or router filter rules support AH and ESP protocols?
Are the firewalls or routers configured to permit the AH and ESP protocols?
Are the firewalls configured to enable IP forwarding?

Table 2. VPN configuration
You need this information to configure a manual VPN Answers
What type of connection are you creating?

  • Host-to-host

  • Host-to-gateway

  • Gateway-to-host

  • Gateway-to-gateway
What will you name the connection?
What is the identifier of the local connection endpoint?
What is the identifier of the remote connection endpoint?
What is the identifier of the local data endpoint?
What is the identifier of the remote data endpoint?
What type of traffic will you allow for this connection (local port, remote port, and protocol)?
Do you require address translation for this connection? See Network address translation for VPN for more information.
Will you use tunnel mode or transport mode?
Which IPSec protocol will the connection use (AH, ESP, or AH with ESP)? See IP Security (IPSec) for more information.
Which authentication algorithm will the connection use (HMAC-MD5 or HMAC-SHA)?
Which encryption algorithm will the connection use (DES-CBC or 3DES-CBC)?

You specify an ecryption algorithm only if you selected ESP as your IPSec protocol.

What is the AH inbound key? If you use MD5, the key is a 16-byte hexadecimal string. If you use SHA, the key is a 20-byte hexadecimal string.

Your inbound key must match the outbound key of the remote server exactly.

What is the AH outbound key? If you will use MD5, the key is a 16-byte hexadecimal string. If you will use SHA, the key is a 20-byte hexadecimal string.

Your outbound key must match the inbound key of the remote server exactly.

What is the ESP inbound key? If you use DES, the key is an 8-byte hexadecimal string. If you will use 3DES, the key is a 24-byte hexadecimal string.

Your inbound key must match the outbound key of the remote server exactly.

What is the ESP outbound key? If you use DES, the key is an 8-byte hexadecimal string. If you will use 3DES, the key is a 24-byte hexadecimal string.

Your outbound key must match the inbound key of the remote server exactly.

What is the inbound Security Policy Index (SPI)? The inbound SPI is a 4-byte hexadecimal string, where the first byte is set to 00.

Your inbound SPI must match the outbound SPI of the remote server exactly.

What is the outbound SPI? The outbound SPI is a 4-byte hexadecimal string.

Your outbound SPI must match the inbound SPI of the remote server exactly.

 

Parent topic:

Completing VPN planning worksheets

Related concepts
Network address translation for VPN