If you are creating a connection for the first time, allow VPN to automatically generate the VPN packet rules for you. You can do this by either using the New Connection wizard or the VPN properties pages to configure your connection.
If you decide to create your VPN packet rules by using the Packet Rules editor in iSeries™ Navigator, create any additional rules this way as well. Conversely, if you have VPN generate your policy filter rules, create all additional policy filter rules this way.
In general, VPNs require two types of filter rules: Pre-IPSec filter rules and policy filter rules. Review the topics below to learn how to configure these rules by using the Packet Rules editor in iSeries Navigator. If you want to read about other VPN and filtering options, see the VPN and IP filtering section of the VPN concepts topic.
The pre-IPSec rules are any rules on your system that come before rules with an IPSEC action type. This topic only discusses the pre-IPSec rules that VPN requires to work properly. In this case, the pre-IPSec rules are a pair of rules that allow IKE processing over the connection. IKE allows dynamic key generation and negotiations to occur for your connection. You may need to add other pre-IPSec rules depending on your particular network environment and security policy.
You only need to configure this type of pre-IPSec rule if you already have other rules that permit IKE for specific systems. If there are no filter rules on the system specifically written to permit IKE traffic, then IKE traffic is implicitly allowed.
The policy filter rule defines the traffic that can use the VPN and what data protection policy to apply to that traffic.
When you add filter rules to an interface, the system automatically adds a default DENY rule for that interface. This means that any traffic not explicitly permitted is denied. You cannot see or change this rule. As a result, you may find that traffic that previously worked mysteriously fails after you activate your VPN filter rules. If you want to allow traffic other than VPN on the interface, add explicit PERMIT rules to do so.
After you configure the appropriate filter rules, define the interface to which they apply, and then activate them.
It is essential that you configure your filter rules properly. If you do not, the filter rules can block all IP traffic coming into and going out of your system. This includes your connection to iSeries Navigator, which you use to configure the filter rules.
If the filter rules do not permit iSeries Navigator traffic, iSeries Navigator cannot communicate with your system. If you find yourself in this situation, log on to your system using an interface that still has connectivity, such as the operations console. Use the RMVTCPTBL command to remove all filters on this system. This command also ends the *VPN servers and then restarts them. Then, configure your filters and reactivate them.
Related concepts
VPN and IP filtering