Scenario: Basic branch office connection
In this scenario, your company wants to establish a VPN between the subnets of two remote departments through a pair of System i™ models acting as VPN gateways.
Situation
Suppose your company wants to minimize the costs incurred from communicating to and among its own branches. Today, your company uses frame relay or leased lines,
but you want to explore other options for transmitting internal confidential data that are less expensive, more secure, and globally accessible. By exploiting the Internet, you can easily establish a virtual private network (VPN) to meet the needs of your company.
Your company and its branch office both require VPN protection across the Internet, but not within their respective intranets. Because you consider the intranets trusted, the best solution is to create a gateway-to-gateway VPN. In this case, both gateways are connected directly to the intervening network. In other words, they are border or edge systems,
which are not protected by firewalls. This example serves as a useful introduction to the steps involved in setting up a basic VPN configuration. When this scenario refers to the term, Internet, it refers to the intervening network between the two VPN gateways, which might be the company's own private network or the public Internet.
This scenario shows the System i model security gateways attached directly to the Internet. The absence of a firewall is intended to simplify the scenario. It does not imply that the use of a firewall is not necessary.
In fact, consider the security risks involved any time you connect to the Internet.
Advantages
This scenario has the following advantages:
- Using the Internet or an existing intranet reduces the cost of private lines between remote subnets.
- Using the Internet or an existing intranet reduces the complexity of installing and maintaining private lines and associated equipment.
- Using the Internet allows remote locations to connect to almost anywhere in the world.
- Using VPN provides users access to all systems and resources on either side of the connection just as though they were connected using a leased line or wide area network (WAN) connection.
- Using industry standard encryption and authentication methods ensures the security of sensitive information passed from one location to another.
- Exchanging your encryption keys dynamically and regularly simplifies setup and minimizes the risk of your keys being decoded and security being breached.
- Using private IP addresses in each remote subnet makes it unnecessary to allocate valuable public IP addresses to each client.
Objectives
In this scenario, MyCo, Inc. wants to establish a VPN between the subnets of its Human Resources and Finance departments through a pair of System i models.
Both systems will act as VPN gateways. In terms of VPN configurations, a gateway performs key management and applies IPSec to the data that flows through the tunnel. The gateways are not the data endpoints of the connection.
The objectives of this scenario are as follows:
- The VPN must protect all data traffic between the Human Resources department's subnet and the Finance department's subnet.
- Data traffic does not require VPN protection once it reaches either of the department's subnets.
- All clients and hosts on each network have full access to the other's network, including all applications.
- The gateway systems can communicate with each other and access each other's applications.
Details
The following figure illustrates the network characteristics of MyCo.
Human Resources Department
- System-A runs on OS/400® Version 5 Release 2 (V5R2) or later and acts as the Human Resources Department's VPN gateway.
- Subnet is 10.6.0.0 with mask 255.255.0.0. This subnet represents the data endpoint of the VPN tunnel at the MyCo Rochester site.
- System-A connects to the Internet with IP address 204.146.18.227. This is the connection endpoint. That is, System-A performs key management and applies IPSec to incoming and outgoing IP datagrams.
- System-A connects to its subnet with IP address 10.6.11.1.
- System-B is a production system in the Human Resources subnet that runs standard TCP/IP applications.
Finance Department
- System-C runs on OS/400 Version 5 Release 2 (V5R2) or later and acts as the Finance Department's VPN gateway.
- Subnet is 10.196.8.0 with mask 255.255.255.0. This subnet represents the data endpoint of the VPN tunnel at the MyCo Endicott site.
- System-C connects to the Internet with IP address 208.222.150.250. This is the connection endpoint. That is, System-C performs key management and applies IPSec to incoming and outgoing IP datagrams.
- System-C connects to its subnet with IP address 10.196.8.5.
Configuration tasks
You must complete each of these tasks to configure the branch office connection described in this scenario:
Before you start these tasks verify the TCP/IP routing to ensure that the two gateway systems can communicate with each other across the Internet. This ensures that hosts on each subnet route properly to their respective gateway for access to the remote subnet.
- Completing the planning worksheets
The planning checklists illustrate the type of information you need before you begin configuring the VPN. All answers on the prerequisite checklist must be YES before you proceed with VPN setup. - Configuring VPN on System-A
Complete these task to configure System-A - Configuring VPN on System-C
Follow the same steps you used to configure VPN on System-A , changing IP addresses as necessary. Use your planning worksheets for guidance. - Starting VPN
After you have configured your VPN connection on System A and C you need to start your VPN connection. - Testing a connection
After you finish configuring both systems and you have successfully started the VPN servers, test the connectivity to ensure that the remote subnets can communicate with each other.
Parent topic:
VPN scenarios
Related concepts
TCP/IP routing and workload balancing