Table Of ContentA Comprehensive Guide to
Virtual Private Networks, Volume III:
Cross-Platform Key and Policy Management
Martin W. Murhammer, Orcun Atakan, Zikrun Badri, Beomjun Cho
Hyun Jeong Lee, Alexander Schmid
International Technical Support Organization
http://www.redbooks.ibm.com
Draft Document for Review July 12, 1999 11:13 am SG24-5309-00
International Technical Support Organization SG24-5309-00
A Comprehensive Guide to
Virtual Private Networks, Volume III:
Cross-Platform Key and Policy Management
October 1999
Draft Document for Review October 8, 1999 2:47 pm
5309edno.fm Draft Document for Review October 8, 1999 2:47 pm
Take Note!
Before using this information and the product it supports, be sure to read the general information in Appendix A,
“Special Notices” on page 659.
First Edition (October 1999)
This edition applies to the VPN components of the following IBM products:
• AIX V4.3.2 and V4.3.3
• OS/400 V4R4
• Comunicatoins Server and Security Server for OS/390 V2R8
• Nways 2210, 2212 and 2216 routers using MRS/AIS/MAS V3.3
This edition also applies to the VPN components of selected non-IBM products.
Note
This book is based on a pre-GA version of a product and may not apply when the product becomes generally
available. We recommend that you consult the product documentation or follow-on versions of this redbook for
more current information.
Comments may be addressed to:
IBM Corporation, International Technical Support Organization
Dept. HZ8 Building 678
P.O. Box 12195
Research Triangle Park, NC 27709-2195
When you send information to IBM, you grant IBM a non-exclusive right to use or distribute the information in any
way it believes appropriate without incurring any obligation to you.
© Copyright International Business Machines Corporation 1999. All rights reserved
Note to U.S Government Users - Documentation related to restricted rights - Use, duplication or disclosure is subject to restrictions
set forth in GSA ADP Schedule Contract with IBM Corp.
Draft Document for Review October 15, 1999 12:01 pm 5309TOC.fm
Contents
Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .xxiii
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
0.1 How this Book is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
The Team That Wrote This Redbook. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxviii
Comments Welcome . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxix
Part 1. VPN Overview and Technology Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Chapter 1. Virtual Private Network (VPN) Introduction. . . . . . . . . . . . . . . .33
1.1 What is a VPN? A quick review. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
1.2 VPN benefits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34
1.3 VPN requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
1.3.1 Security considerations for VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . .35
1.3.2 Performance considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40
1.3.3 Management considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
1.3.4 General purpose encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
1.4 A basic pproach to VPN design and implementation. . . . . . . . . . . . . . . . .44
1.5 Common VPN scenarios. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45
1.5.1 Branch Office Interconnections . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46
1.5.2 Business partner/supplier networks. . . . . . . . . . . . . . . . . . . . . . . . . .47
1.5.3 Remote Access Scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
1.6 VPN technologies and security policies. . . . . . . . . . . . . . . . . . . . . . . . . . .49
1.6.1 The need for a security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
1.6.2 Network security policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
1.6.3 VPN security policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .52
Chapter 2. Layer 2 VPN Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
2.1 Layer 2 Tunneling Protocol (L2TP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
2.1.1 Overview and standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
2.1.2 L2TP flows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
2.1.3 Compulsory and voluntary tunnel modes. . . . . . . . . . . . . . . . . . . . . .56
2.1.4 Securing the tunnels with IPSec . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
2.1.5 Multiprotocol support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60
2.2 Point-to-Point Tunneling Protocol (PPTP). . . . . . . . . . . . . . . . . . . . . . . . .60
2.3 Layer 2 Forwarding (L2F) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
2.4 Comparing remote access tunneling protocols . . . . . . . . . . . . . . . . . . . . .62
2.5 Layer 2 tunneling authentication and encryption . . . . . . . . . . . . . . . . . . . .63
2.5.1 Authentication options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
2.5.2 Encryption options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Chapter 3. Layer 3 VPN Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
3.1 IP Security Architecture (IPSec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
3.1.1 Overview and standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67
3.1.2 Security Associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68
3.1.3 IP Authentication Header (AH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
3.1.4 Encapsulating Security Payload (ESP) . . . . . . . . . . . . . . . . . . . . . . .70
3.1.5 Tunnel and transport mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
3.1.6 SA combinations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .72
© Copyright IBM Corp. 1999 iii
5309TOC.fm Draft Document for Review October 15, 1999 12:01 pm
3.2 Coming to terms with the Internet Key Exchange (IKE) protocol . . . . . . . 75
3.2.1 Overview and standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
3.2.2 Key management requirements for IPSec . . . . . . . . . . . . . . . . . . . . 76
3.2.3 IKE Phase 1 overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
3.2.4 IKE Phase 2 overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
3.2.5 ISAKMP Message Structure. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
3.2.6 General Phase 1 process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
3.2.7 General Phase 2 process. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
3.2.8 Summary of successful IKE negotiation. . . . . . . . . . . . . . . . . . . . . . 95
3.2.9 Optional IKE Exchanges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
3.3 IPSec/IKE system processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
3.3.1 Outbound IPSec processing for host systems . . . . . . . . . . . . . . . . . 98
3.3.2 Inbound processing for host systems. . . . . . . . . . . . . . . . . . . . . . . . 99
3.3.3 Outbound processing for gateway systems . . . . . . . . . . . . . . . . . . . 99
3.3.4 Inbound processing for gateway systems. . . . . . . . . . . . . . . . . . . . 100
Chapter 4. Certificates and Public Key Infrastructures. . . . . . . . . . . . . . 103
4.1 Public Key Cryptography. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.2 Digital Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
4.3 Registration Authority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
4.4 Multiple Certificate Authorities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.4.1 Single Root CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
4.4.2 Hierarchial Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
4.4.3 Peer Topology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
4.5 PKI Requirements for IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Chapter 5. Security Technologies Complementing VPNs. . . . . . . . . . . . 115
5.1 Authentication for Remote Access Dial-In Users . . . . . . . . . . . . . . . . . . 115
5.1.1 RADIUS Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
5.1.2 Using RADIUS with Layer 2 Tunnels . . . . . . . . . . . . . . . . . . . . . . . 118
5.2 Network Address Translation (NAT). . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
5.3 SOCKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
5.4 Secure Sockets Layer (SSL) and Transport Layer Security (TLS) . . . . . 122
5.5 Comparing IPSec to SSL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
Chapter 6. Directory Assisted Policy Management. . . . . . . . . . . . . . . . . 127
6.1 The Benefits of Directory Assisted Policy Management . . . . . . . . . . . . . 127
6.2 Directory Client and Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
6.2.1 LDAP Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.3 Directory Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.4 Policy Deployment using LDAP for IBM 221x Router. . . . . . . . . . . . . . . 128
6.4.1 LDAP server configuration on AIX . . . . . . . . . . . . . . . . . . . . . . . . . 129
6.4.2 LDAP Client Configuration on the NWays 221x-Routers . . . . . . . . 133
6.5 Secure transmission of LDAP traffic using tunnel. . . . . . . . . . . . . . . . . . 136
Chapter 7. Internet VPN Management . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
7.1 Management Area. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
7.2 Management requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
7.3 Design Consideration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
7.4 Management object for Internet VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . 145
7.5 Integration to other management tool . . . . . . . . . . . . . . . . . . . . . . . . . . 146
7.6 Network management system for IBM 221x router. . . . . . . . . . . . . . . . . 146
iv A Comprehensive Guide to Virtual Private Networks, Volume III
Draft Document for Review October 15, 1999 12:01 pm 5309TOC.fm
Part 2. IBM VPN Platforms with IKE Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Chapter 8. Introduction to IBM VPN solutions . . . . . . . . . . . . . . . . . . . . .151
8.1 IBM VPN platforms - IPSec and IKE feature summary . . . . . . . . . . . . . .151
8.2 IBM VPN platforms - layer 2 tunneling feature summary . . . . . . . . . . . . .153
8.3 IBM VPN platforms - interoperability matrix for IKE. . . . . . . . . . . . . . . . .154
8.4 IBM VPN platforms supporting IPSec but not IKE . . . . . . . . . . . . . . . . . .154
8.5 IBM VPN platforms- interoperability matrix for IPSec without IKE . . . . . .155
8.6 IBM and OEM VPN platforms - interoperability matrix. . . . . . . . . . . . . . .156
Chapter 9. AIX V4.3.2 and V4.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
9.1 AIX V4.3.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
9.1.1 IPSec and Internet Key Exchange (IKE) VPN Features. . . . . . . . . .159
9.1.2 VPN Feature Installation on AIX V4.3.2. . . . . . . . . . . . . . . . . . . . . .160
9.1.3 AIX V4.3.2 IP Security: IKE tunnel basic set up. . . . . . . . . . . . . . . .161
9.1.4 AIX V4.3.2 IP Security IKE Advanced Setup . . . . . . . . . . . . . . . . . .171
9.1.5 Use Tunnel Lifetime and Lifesize. . . . . . . . . . . . . . . . . . . . . . . . . . .179
9.1.6 Packet Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
9.1.7 Manual Tunnel Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182
9.2 AIX V4.3.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184
9.2.1 VPN Features and Improvements in AIX V4.3.3 . . . . . . . . . . . . . . .184
9.2.2 AIX V4.3.3 VPN Feature Installation . . . . . . . . . . . . . . . . . . . . . . . .185
9.2.3 IP Security IKE Tunnel Basic Setup Using the Configuration Wizard187
9.2.4 IP Security IKE Tunnel Advanced Setup . . . . . . . . . . . . . . . . . . . . .190
9.2.5 Manual tunnel configuration using the WebSM . . . . . . . . . . . . . . . .197
9.2.6 Filtering Capability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .200
9.3 Creating a VPN host-to-host connection . . . . . . . . . . . . . . . . . . . . . . . . .203
Chapter 10. OS/400 V4R4 Native VPN Support . . . . . . . . . . . . . . . . . . . . .211
10.1 Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
10.2 VPN software prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211
10.3 AS/400 VPN components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
10.3.1 AS/400 Operations Navigator . . . . . . . . . . . . . . . . . . . . . . . . . . . .212
10.3.2 New Connection Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
10.3.3 VPN server jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
10.3.4 VPN policy database. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
10.3.5 IP packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
10.4 Basic planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215
10.5 VPN configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
10.5.1 AS/400 Operations Navigator . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
10.5.2 Using the New Connection Wizard . . . . . . . . . . . . . . . . . . . . . . . .223
10.5.3 Changing the New Connection Wizard default values . . . . . . . . . .226
10.5.4 Objects created by the wizard. . . . . . . . . . . . . . . . . . . . . . . . . . . .226
10.5.5 Configuring IP filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
10.5.6 Object relationships. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228
10.6 VPN management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
10.6.1 IP packet security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
10.6.2 VPN server jobs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .231
10.6.3 Starting VPN connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
10.7 Backup and recovery considerations. . . . . . . . . . . . . . . . . . . . . . . . . . .237
10.7.1 Creating a VPN Host-to-Host Connection . . . . . . . . . . . . . . . . . . .237
10.7.2 Configuring IP Packet Security . . . . . . . . . . . . . . . . . . . . . . . . . . .245
10.7.3 Starting the VPN connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252
v
5309TOC.fm Draft Document for Review October 15, 1999 12:01 pm
10.7.4 Relationship between the wizard and the configuration objects . . 257
Chapter 11. Communications Server V2R8 for OS/390 . . . . . . . . . . . . . . 261
11.1 Firewall Technologies for OS/390 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
11.2 Installation and Customization of VPN IKE feature . . . . . . . . . . . . . . . 262
11.2.1 OS/390 SecureWay CS IP services customization. . . . . . . . . . . . 262
11.2.2 Unix System Services customization . . . . . . . . . . . . . . . . . . . . . . 265
11.2.3 OS/390 Security Server and cryptographic services customization266
11.2.4 OS/390 Firewall USS customization and starting. . . . . . . . . . . . . 279
11.3 Dynamic tunnel scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
11.3.1 Creating a dynamic VPN connection using the GUI panels . . . . . 302
11.3.2 Creating a dynamic VPN using the shell commands . . . . . . . . . . 323
Chapter 12. Nways Routers Using MRS/AIS/MAS V3.3 . . . . . . . . . . . . . . 329
12.1 Policy Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
12.2 Configuring IPSec on an Nways Router. . . . . . . . . . . . . . . . . . . . . . . . 331
12.2.1 Configuring Manual IPSec Tunnels . . . . . . . . . . . . . . . . . . . . . . . 334
12.2.2 Configuring IKE with Pre-shared Keys. . . . . . . . . . . . . . . . . . . . . 344
12.2.3 IKE with PKI Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Part 3. VPN Scenarios Using IBM VPN Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Chapter 13. Building Branch Office VPNs . . . . . . . . . . . . . . . . . . . . . . . . 385
13.1 Design Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
13.1.1 Authenticating Backbone Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . 385
13.1.2 Data Confidentiality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
13.1.3 Addressing Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
13.1.4 Routing Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
13.1.5 Summary: Branch Office Connection. . . . . . . . . . . . . . . . . . . . . . 388
13.2 Central Site - Small Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
13.2.1 Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
13.2.2 Gateway-to-Gateway Tunnel with IPSec between IBM Routers . . 390
13.2.3 Scenario Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
13.2.4 Implementation Tasks - Summary . . . . . . . . . . . . . . . . . . . . . . . . 391
13.2.5 Completing the IBM 2216 Router Planning Worksheet. . . . . . . . . 392
13.2.6 Configuring the VPN in the IBM 2216 Routers. . . . . . . . . . . . . . . 396
13.2.7 Connection Verification and Testing. . . . . . . . . . . . . . . . . . . . . . . 399
13.3 Central Site - Medium Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
13.3.1 Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
13.3.2 Gateway-to-Gateway Tunnel with IPSec between IBM AIX Systems .
400
13.3.3 Scenario Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
13.3.4 Implementation Tasks - Summary . . . . . . . . . . . . . . . . . . . . . . . . 402
13.3.5 Completing the AIX Planning Worksheet . . . . . . . . . . . . . . . . . . . 402
13.3.6 Configuring the Central Site Gateway . . . . . . . . . . . . . . . . . . . . . 404
13.3.7 Configuring the Branch Office Gateway. . . . . . . . . . . . . . . . . . . . 405
13.3.8 Connection Verification and Testing. . . . . . . . . . . . . . . . . . . . . . . 405
13.4 Central and Regional Sites - Large Enterprise. . . . . . . . . . . . . . . . . . . 406
13.4.1 Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
13.4.2 IBM AS/400 to IBM 2210 Gateway-to-Gateway tunnel with IPSec 407
13.4.3 Scenario Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
13.4.4 Implementation tasks - Summary. . . . . . . . . . . . . . . . . . . . . . . . . 409
13.4.5 Completing the 2210 router planning worksheet. . . . . . . . . . . . . . 410
vi A Comprehensive Guide to Virtual Private Networks, Volume III
Draft Document for Review October 15, 1999 12:01 pm 5309TOC.fm
13.4.6 Completing the AS/400 system planning worksheet . . . . . . . . . . .415
13.4.7 VPN configuration cross reference table - OS/400 to 2210 router .418
13.4.8 Configuring the VPN in the 2210 router. . . . . . . . . . . . . . . . . . . . .419
13.4.9 Configuring the VPN on the AS/400 system (RALYAS4A . . . . . . .421
13.4.10 Configuring IP filtering on the AS/400 system (RALYAS4A) . . . .423
13.4.11 Starting IP filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .424
13.4.12 Starting the VPN connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .424
13.4.13 Verification tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .427
Chapter 14. Building Business Partner / Supplier VPNs . . . . . . . . . . . . .429
14.1 Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .429
14.1.1 Authenticating and Encrypting Supplier Traffic . . . . . . . . . . . . . . .430
14.1.2 Addressing Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432
14.1.3 Packet Filtering and Proxies . . . . . . . . . . . . . . . . . . . . . . . . . . . . .432
14.1.4 Summary: Inter-Company Interconnection. . . . . . . . . . . . . . . . . . .433
14.2 Nested Tunnel Configurations With IKE . . . . . . . . . . . . . . . . . . . . . . . .433
14.2.1 IBM Router configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
14.3 End-to-End Tunnels with IPSec. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443
14.3.1 Scenario characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .443
14.3.2 Implementation Tasks - Summary. . . . . . . . . . . . . . . . . . . . . . . . .444
14.3.3 Completing the AIX server planning worksheet . . . . . . . . . . . . . . .444
14.3.4 Completing the AS/400 system planning worksheet . . . . . . . . . . .446
14.3.5 Configuring a host to host VPN in the AIX server . . . . . . . . . . . . .448
14.3.6 Configuring a host to host VPN in the AS/400 system. . . . . . . . . .450
14.3.7 Matching the AIX server VPN configuration. . . . . . . . . . . . . . . . . .452
14.3.8 Configuring IP filters on the AS/400 system (RALYAS4C). . . . . . .454
14.3.9 Starting the VPN Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . .458
14.3.10 Verification Tests. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .460
Chapter 15. Building Remote Access VPNs . . . . . . . . . . . . . . . . . . . . . . .461
15.1 Design Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .461
15.1.1 Data Confidentiality and Authentication. . . . . . . . . . . . . . . . . . . . .462
15.1.2 Addressing and Routing Issues. . . . . . . . . . . . . . . . . . . . . . . . . . .462
15.1.3 Multiprotocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
15.1.4 Summary: Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
15.2 Remote Access With IPSec. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .463
15.2.1 Description of the Scenario. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .464
15.2.2 Configuration of the ISP Router. . . . . . . . . . . . . . . . . . . . . . . . . . .465
15.2.3 Configuration of the VPN Gateway (Center 2216 Router) . . . . . . .468
15.2.4 Configure IPSec Action and Proposal . . . . . . . . . . . . . . . . . . . . . .471
15.2.5 Configure ISAKMP Action and Proposal . . . . . . . . . . . . . . . . . . . .473
15.2.6 Configuration of the IRE SafeNet VPN Client . . . . . . . . . . . . . . . .475
15.2.7 Testing and Verifying the Connection . . . . . . . . . . . . . . . . . . . . . .477
15.3 End-to-End Connections Using L2TP and IPSec. . . . . . . . . . . . . . . . . .479
15.4 Dial-on-Demand via ISP Using L2TP. . . . . . . . . . . . . . . . . . . . . . . . . . .479
Chapter 16. VPN Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
16.1 Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
16.2 Alerting and Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
16.3 Traces, Dumps and Traffic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . .481
16.3.1 Traces and Dumps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .481
16.3.2 Traffic Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .482
16.4 Interfaces to Systems Management Tools. . . . . . . . . . . . . . . . . . . . . . .492
16.5 Ethical Hacking. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .492
vii
5309TOC.fm Draft Document for Review October 15, 1999 12:01 pm
16.6 Troubleshooting for AIX 4.3.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
16.6.1 IP Security log file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
16.6.2 ISAKMPD log file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
16.7 Troubleshooting for OS/400. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
16.7.1 Available methods troubleshooting Virtual Private Networks . . . . 497
16.7.2 General guideline for VPN troubleshooting . . . . . . . . . . . . . . . . . 498
16.7.3 Using and customizing the Active Connections window. . . . . . . 499
16.7.4 Using the QIPFILTER Journal . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
16.7.5 Using the QVPN journal. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
16.7.6 The Trace TCP/IP Application (TRCTCPAPP) command. . . . . . . 505
16.7.7 Using joblogs for problem determination . . . . . . . . . . . . . . . . . . . 507
16.7.8 Using the AS/400 communications trace . . . . . . . . . . . . . . . . . . . 508
16.8 Troubleshooting for OS/390. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508
16.8.1 Using the Firewall Log to Check the Tunnel. . . . . . . . . . . . . . . . . 508
16.9 Troubleshooting for IBM 221x Router . . . . . . . . . . . . . . . . . . . . . . . . . 509
16.9.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
16.9.2 Order of Commands While Troubleshooting. . . . . . . . . . . . . . . . . 510
16.9.3 Useful Commands for Policy and IPSec. . . . . . . . . . . . . . . . . . . . 510
16.9.4 Useful Commands for IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
16.9.5 Useful Commands for layer 2 VPNs. . . . . . . . . . . . . . . . . . . . . . . 516
16.9.6 Authentication commands and RADIUS. . . . . . . . . . . . . . . . . . 520
16.9.7 Useful Commands for LDAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
16.9.8 Using ELS Subsystems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
16.9.9 Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Part 4. OEM VPN Platforms and Interoperability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
Chapter 17. Interoperability with Cisco Routers . . . . . . . . . . . . . . . . . . . 527
17.1 Cisco IOS VPN Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527
17.2 Configuring Cisco IOS for IPSec and IKE . . . . . . . . . . . . . . . . . . . . . . 528
17.2.1 IKE Configuration using pre-shared key authentication . . . . . . . . 528
17.2.2 IKE Configuration using RSA signature authentication. . . . . . . . . 532
17.2.3 IPSec Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535
17.2.4 Connection Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537
17.3 IBM 2216 to Cisco 2612, Gateway-to-Gateway . . . . . . . . . . . . . . . . . . 538
17.3.1 Scenario characteristics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538
17.3.2 Implementation Tasks - Summary . . . . . . . . . . . . . . . . . . . . . . . . 539
17.3.3 Completing the IBM 2216 Router Planning Worksheet. . . . . . . . . 539
17.3.4 Configuring the VPN in the IBM 2216 router . . . . . . . . . . . . . . . . 544
17.3.5 Completing the Cisco Router Planning Worksheet. . . . . . . . . . . . 546
17.3.6 Configuring the VPN in the Cisco router. . . . . . . . . . . . . . . . . . . . 548
17.3.7 Connection Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
17.3.8 Verification tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
17.4 IBM AS/400 to Cisco 2612, Gateway-to-Gateway . . . . . . . . . . . . . . . . 551
17.4.1 Scenario Characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
17.4.2 Implementation Tasks - Summary . . . . . . . . . . . . . . . . . . . . . . . . 553
17.4.3 Completing the Cisco Router Planning Worksheet. . . . . . . . . . . . 554
17.4.4 Completing the AS/400 System Planning Worksheet. . . . . . . . . . 556
17.4.5 Configuring the VPN in the Cisco router. . . . . . . . . . . . . . . . . . . . 558
17.4.6 Configuring the VPN on the AS/400 system (RALYAS4A) . . . . . . 562
17.4.7 Matching the Cisco router VPN configuration. . . . . . . . . . . . . . . . 563
17.4.8 Configuring IP filtering on the AS/400 system (RALYAS4A). . . . . 564
17.4.9 Starting IP filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
viii A Comprehensive Guide to Virtual Private Networks, Volume III