Configuring NPF VPN for VIPA

You can allow No Policy Filter (NPF) VPN connections to be applied automatically as preferred interfaces for Virtual Ip addresses (VIPA).

Prior to IBM i 7.2, the NPF connection would only be loaded against the one line description currently indicated as the local choice for the next hop given a route to the desired destination. This causes problems if the Virtual IP addresses are configured, which could allow for multiple paths to a particular destination.

If a NPF connection is being loaded and the local IP address is determined to be a VIPA address, the connection will be loaded against any additional line description that is included in the IP address preferred local interface list.

If the VPN configured for NPF does not work with a particular VIPA address, perform one of the follow 3 options:

NOTE: the following example is specifically for VPN configurations for IBM Universal Care connectivity. In this example the Ip address to the IBM Gateway is 129.42.160.16.

  1. Define a host route for the two IBM VPN gateways that bind the route to one particular local interface
    ADDTCPRTE RTEDEST('129.42.160.16') SUBNETMASK(*HOST) NEXTHOP('192.168.20.86') BINDIFC('192.168.20.103')
  2. Disable all but one local interface that uses the VIPA.
  3. Alter the VPN connection group to predefine filter rules for the VPN connection (for eCare the group names are QIBM01VPN1 and QIBM01VPN2). To do this, perform the following.
    1. In IBM Navigator for i, expand Network > IP Policies. Click Secure Connections.
    2. Right-click All connections, and select Open.
    3. Right-click on the profile with the modified IP address, select Group Properties.
    4. In the Connections tab, verify Generate the following policy filter for this group is selected. Click Edit.
    5. In the Local Addresses tab, select Any IP Version 4 Address for the Identifier type.
    6. In the Remote Addresses tab, enter the VPN endpoint for the Identifier.
    7. In the Services tab, enter 1701 for the Local port and the Remote port. Select UDP for the Protocol. Click OK.
    8. In the Interfaces tab, select the interfaces that will be communicating to the IBM VPN Gateway address. Click OK.
    9. Activate the rule by expanding Network > IP Policies
    10. Click Packet Rules to open the Packet Rules panel and click Actions > Activate Rules. This opens the Activate Packet Rules panel.
    11. Select Activate only the VPN generated rules. and select Activate these rules on all interfaces and all point-to-point filter identifier. Click OK.