Completing the planning worksheets

 

The following planning checklists illustrate the type of information you need before you begin configuring the VPN. All answers on the prerequisite checklist must be YES before you proceed with VPN setup.

There are separate worksheets for both Gateway-B and System-E.

Table 1. System requirements
Prerequisite checklist Answers
Is your operating system i5/OS® V5R4 (5722-SS1)? Yes
Is the Digital Certificate Manager option (5722-SS1 Option 34) installed? Yes
Is iSeries™ Access for Windows® (5722-XE1) installed? Yes
Is iSeries Navigator installed? Yes
Is the Network subcomponent of iSeries Navigator installed? Yes
Is TCP/IP Connectivity Utilities (5722-TC1) installed? Yes
Did you set the retain server security data (QRETSVRSEC *SEC) system value to 1? Yes
Is TCP/IP configured on your system (including IP interfaces, routes, local host name, and local domain name)? Yes
Is normal TCP/IP communication established between the required endpoints? Yes
Have you applied the latest program temporary fixes (PTFs)? Yes
If the VPN tunnel traverses firewalls or routers that use IP packet filtering, do the firewall or router filter rules support AH and ESP protocols? Yes
Are the firewalls or routers configured to permit traffic over port 4500 for key negotiations. Typically, VPN partners perform IKE negotiations over UDP port 500, when IKE detects NAT packets are sent over port 4500. Yes
Are the firewalls configured to enable IP forwarding? Yes

Table 2. Gateway-B configuration
You need this information to configure the VPN for Gateway-B Answers
What type of connection are you creating? gateway-to-another host
What will you name the dynamic-key group? CHIgw2MINhost
What type of security and system performance do you require to protect your keys? balanced
Are you using certificates to authenticate the connection? If no, what is the preshared key? No : topsecretstuff
What is the identifier of the local key server? IP address: 214.72.189.35
What is the identifier of the local data endpoint? Subnet: 10.8.11.0 Mask: 255.255.255.0
What is the identifier of the remote key server? IP address: 146.210.18.51
What is the identifier of the remote data endpoint? IP address: 146.210.18.51
What ports and protocols do you want to allow to flow through the connection? Any
What type of security and system performance do you require to protect your data? balanced
To which interfaces does the connection apply? TRLINE

Table 3. System-E configuration
You need this information to configure the VPN for System-E Answers
What type of connection are you creating? host-to-another gateway
What will you name the dynamic-key group? CHIgw2MINhost
What type of security and system performance do you require to protect your keys? highest
Are you using certificates to authenticate the connection? If no, what is the preshared key? No : topsecretstuff
What is the identifier of the local key server? IP address: 56.172.1.1
What is the identifier of the remote key server?

If the Firewall-C IP address is unknown, you can use *ANYIP as the identifier for the remote key server.

IP address: 129.42.105.17
What is the identifier of the remote data endpoint? Subnet: 10.8.11.0 Mask: 255.255.255.0
What ports and protocols do you want to allow to flow through the connection? Any
What type of security and system performance do you require to protect your data? highest
To which interfaces does the connection apply? TRLINE

 

Parent topic:

Scenario: Firewall Friendly VPN