Steps for configuring the branch office model: Part 2 (gateway-to-gateway with IPSec)
The branch office model part 2 is similar to the branch office model part 1. Here, there are multiple data endpoints on both the local side and the remote side, but only one pair of security endpoints, one local and one remote.
Before you begin
It is not likely that the z/OS® system will function strictly as a router or a firewall at the network perimeter, but it is possible to configure the z/OS system to provide the IPSec functionality that many secure gateway devices provide. This topic includes instructions on how to configure a scenario in which the z/OS system is routing network traffic from inside the internal network. This functionality is similar to the functionality that is provided by the branch office gateway in Steps for configuring the branch office model: Part 1 (host-to-gateway with IPSec). Here, there are multiple data endpoints on both the local side and the remote side, but only one pair of security endpoints, one local and one remote.
In this example, assume that the local z/OS system is acting as a secure gateway for hosts on an internal network A, and tunneling the IPSec-protected traffic to a remote secure gateway for subnetwork C. The following list summarizes the requirements for this example:
- Permit IKE negotiations between the two security gateways, the secure local host and the secure remote gateway for subnetwork C.
- Permit traffic from the internal network to the internal interface on the secure local host.
- Add IPSec protection to any traffic that flows between the two secure gateways.
In this scenario, the z/OS system is a secure forwarding agent for the internal hosts, rather than a data endpoint. Traffic from the internal hosts that is destined for the remote network first comes to the secure local gateway in the clear. Before it is sent out to the remote network, it is IPSec encapsulated. The process is reversed for traffic that comes from the remote network. Traffic that comes from the remote network to the local secure gateway is IPSec decapsulated on the local secure host and forwarded to the internal host in the clear.
Procedure
Perform the following steps to meet the above requirements and configure part 2 of the branch office model.