VPN and IP filtering

IP filtering and VPN are closely related. In fact, most VPN connections require filter rules to work properly. This topic provides you information about what filters VPN requires, as well as other filtering concepts related to VPN.

Most VPN connections require filter rules to work properly. The filter rules required depend on the type of VPN connection that you are configuring as well as what type of traffic you want to control. In general, each connection will have a policy filter. The policy filter defines which addresses, protocols, and ports can use the VPN. In addition, connections that support the Internet Key Exchange (IKE) protocol typically have rules that are written explicitly to allow IKE processing over the connection.

In OS/400^® V5R1 or later, VPN can generate these rules automatically. Whenever possible, allow VPN to generate your policy filters for you. Not only will this help to eliminate errors, but it also eliminates the need for you to configure the rules as a separate step by using the Packet Rules editor in iSeries™ Navigator.

There are, of course, exceptions. Review these topics to learn more about other, less common, VPN and filtering concepts and techniques that may apply to your particular situation:

• VPN connections with no policy filters
  If the connection endpoints of your VPN are single, specific, IP addresses and you want to start the VPN without having to write or activate filter rules on the system, you can configure a dynamic policy filter.

• Implicit IKE
  In order for IKE negotiations to occur for your VPN, you need to allow UDP datagrams over port 500 for this type of IP traffic. However, if there are no filter rules on the system specifically written to permit IKE traffic, then the system will implicitly allow IKE traffic to flow.

Parent topic:

Related concepts
Configuring VPN packet rules