Remote Support VPN Via Proxy Device

Resolving The Problem

Diagnosing the problem

A user wishes to access IBM via STRRMTSPT *VPN using this type of environment.





Because the iSeries cannot connect directly to VPN IP addresses, it must send the request to the "proxy" device. Adding IP information, we have the layout below.




In order for the iSeries to initiate a VPN to the "proxy" device (a device that will modify the packet before it leaves the company intranet), some modifications are needed.

Note: The "proxy" device is performing DNAT (where it is changing the destination IP to something else). In this configuration, it is changing the destination IP of itself to the IBM VPN gateway, which in this case is 129.42.160.16.



Resolving the problem


1) Delete the current service configuration.

DLTSRVCFG DLTCMNCFG(*YES)


2) Back up file QTOCcit.fil in directory /qibm/userdata/os400/universalconnection. In the below example, QTOCcit.fil.bak is created as a back to file QTOCcit.fil.

CPY OBJ('/qibm/UserData/OS400/UniversalConnection/QTOCcit.fil')
TOOBJ('/qibm/UserData/OS400/UniversalConnection/QTOCcit.fil.bak')


3) Go in edit mode the QTOCcit.fil.

EDTF STMF('/qibm/UserData/OS400/UniversalConnection/QTOCcit.fil')


4) In edit mode, find a country and/or state that you wish to modify. In this scenario, we are changing the state code of MN. We search for STATE_CODE=MN.

Edit File: /qibm/UserData/OS400/UniversalConnection/QTOCcit.fil Record : 1 of 1233 by 10 Column : 1 519 by 126 Control : STATE_CODE=MN CMD ....+....1....+....2....+....3....+....4....+....5....+....6....+....7....+....8....+....9....+....0....+....1....+....2....+.. ************Beginning of data************** QTOCREC VERSION=18 QTOCREC APP_ID=*ECS COUNTRY_CODE=*WH STATE_CODE= ACT_NAME=SHUSS USERID=ECCUS IP_ADDR/SUBNET_MASK=198.74.67.240/255.255.255.255 QTOCREC APP_ID=*ECS COUNTRY_CODE=*EH STATE_CODE= ACT_NAME=SHUSS USERID=ECCUS IP_ADDR/SUBNET_MASK=198.74.67.241/255.255.255.255 QTOCREC APP_ID=*ECS COUNTRY_CODE=AF STATE_CODE= ACT_NAME=GBIBMECC USERID=IBMECC01 IP_ADDR/SUBNET_MASK=198.74.71.241/255.255.255 QTOCREC APP_ID=*ECS COUNTRY_CODE=AL STATE_CODE= ACT_NAME=GBIBMECC USERID=IBMECC01 IP_ADDR/SUBNET_MASK=198.74.71.241/255.255.255 QTOCREC APP_ID=*ECS COUNTRY_CODE=DZ STATE_CODE= ACT_NAME=GBIBMECC USERID=IBMECC01 IP_ADDR/SUBNET_MASK=198.74.71.241/255.255.255 QTOCREC APP_ID=*ECS COUNTRY_CODE=AS STATE_CODE= ACT_NAME=AUAPB USERID=AUECCB IP_ADDR/SUBNET_MASK=198.74.71.241/255.255.255.255 QTOCREC APP_ID=*ECS COUNTRY_CODE=AD STATE_CODE= ACT_NAME=GBIBMECC USERID=IBMECC01 IP_ADDR/SUBNET_MASK=198.74.71.241/255.255.255 QTOCREC APP_ID=*ECS COUNTRY_CODE=AO STATE_CODE= ACT_NAME=GBIBMECC USERID=IBMECC01 IP_ADDR/SUBNET_MASK=198.74.71.241/255.255.255 QTOCREC APP_ID=*ECS COUNTRY_CODE=AI STATE_CODE= ACT_NAME=SHUSS USERID=ECCUS IP_ADDR/SUBNET_MASK=198.74.67.240/255.255.255.255 I QTOCREC APP_ID=*ECS COUNTRY_CODE=AQ STATE_CODE= ACT_NAME=SHUSS USERID=ECCUS IP_ADDR/SUBNET_MASK=198.74.67.240/255.255.255.255 I QTOCREC APP_ID=*ECS COUNTRY_CODE=AG STATE_CODE= ACT_NAME=SHUSS USERID=ECCUS IP_ADDR/SUBNET_MASK=198.74.67.240/255.255.255.255 I QTOCREC APP_ID=*ECS COUNTRY_CODE=AR STATE_CODE= ACT_NAME=SHUSS USERID=ECCUS IP_ADDR/SUBNET_MASK=198.74.67.240/255.255.255.255 I QTOCREC APP_ID=*ECS COUNTRY_CODE=AM STATE_CODE= ACT_NAME=GBIBMECC USERID=IBMECC01 IP_ADDR/SUBNET_MASK=198.74.71.241/255.255.255 QTOCREC APP_ID=*ECS COUNTRY_CODE=AW STATE_CODE= ACT_NAME=SHUSS USERID=ECCUS IP_ADDR/SUBNET_MASK=198.74.67.240/255.255.255.255 I QTOCREC APP_ID=*ECS COUNTRY_CODE=AU STATE_CODE= ACT_NAME=AUAPA USERID=AUECCA IP_ADDR/SUBNET_MASK=198.74.71.241/255.255.255.255 QTOCREC APP_ID=*ECS COUNTRY_CODE=AT STATE_CODE= ACT_NAME=GBIBMECC USERID=IBMECC01 IP_ADDR/SUBNET_MASK=198.74.71.241/255.255.255 F2=Save F3=Save/Exit F12=Exit F15=Services F16=Repeat find F17=Repeat change F19=Left F20=Right

5) Once found, modify the first VPN_GATEWAY_IP_ADDR/SUBNET_MASK that you see on that line. You will need to use F20 to move to the right to find the parameter. In our example, we are going to change 207.25.252.196/255.255.255.255 to our "proxy" device. The change will be VPN_GATEWAY_IP_ADDR/SUBNET_MASK=169.168.1.1/255.255.255.255.

Keep searching for STATE_CODE=MN as there may be more than one entry. If found, modify the first VPN_GATEWAY_IP_ADDR/SUBNET_MASK to match your "proxy" device.

Edit File: /qibm/UserData/OS400/UniversalConnection/QTOCcit.fil Record : 267 of 1233 by 10 Column : 379 515 by 126 Control : STATE_CODE=MN CMD .8....+....9....+....0....+....1....+....2....+....3....+....4....+....5....+....6....+....7....+....8....+....9....+....0....+ S_SHIPPED=U VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.25 S_SHIPPED=S VPN_GATEWAY_IP_ADDR/SUBNET_MASK=129.42.160.16/255.255.255.255 VPN_GATEWAY_IP_ADDR/SUBNET_MASK=207.25.252.196/255.25 F2=Save F3=Save/Exit F12=Exit F15=Services F16=Repeat find F17=Repeat change F19=Left F20=Right

6) After completing step 5, create the service configuration and specify the country/state that you modified from step 5.

CRTSRVCFG ROLE(*PRIMARY)
CNNTYPE(*DIRECT)
CNTRYID(US)
STATE(MN)


7) Open up iSeries Navigator and select the system under My Connections. From the system, go to Network-->Remote Access Services-->Originator Connection Profiles. On the right plane, select QVPN01IBM1, right-click, and select Properties. From the properties screen, click on the Connections tab. The IP of the "proxy" device will be here. If not, select the QVPN01IBM2. Change the Remote Tunnel Endpoint IP Address to the real IBM gateway address. Choose either 129.42.60.16 or 207.25.252.196 depending on what the "proxy" device is configured. The "proxy" device would have some configuration to modify the address to the real address, use that address here.


Before




After





8) From iSeries Navigator again, from the system name, go to Network-->IP Policies-->Virtual Private Networking-->Secure Connections-->All Connections. On the right plane, right-click on either QVPN01IBM1:L1 or QVPN01IBM2:L1 depending on what was selected in the previous step. For example, if in step 7, QVPN01IBM1 was selected, then QVPN01IBM1:L1 would be selected here. Right-click on the profile and select Properties. The General tab should have the IP address of the "proxy" server under Remote Key Server. Go to the Remote Addresses tab. From that tab, put the real VPN gateway IP address as in step 7.


General tab




Remote Addresses tab





9) After completing step 8, from Network-->IP Policies-->Virtual Private Networking-->Secure Connections-->All Connections, right-click on either QVPN01IBM1:L1 or QVPN01IBM2:L1 depending on what was used in Step 8. Select Group Properties. Click on the Connections tab.

In that tab, verify that a policy filter exist. The policy filter should have the following. If not, then click on the edit button to add the values.

Local Addresses	Remote Address	Local Ports	Remote Ports	Protocols
Any IP Version 4 Address	129.42.160.16 or 207.25.252.196 which ever was decided at the start of this excercise	1701	1701	UDP

11) After completing step 10, click on the Interfaces tab. Make sure to select Apply This Group to the desired interface. If you need to use the interface for regular traffic, make sure Permit Non-VPN Traffic - IPV4 is selected. If using IPV6, select Permit Non-VPN Traffic - IPV6 also.






12) Finally, active the VPN packet rule. From Network-->IP Policies, right-click on Packet Rules and select Activate Rules. Select Activate only the VPN generated rules and Activate These Rules On All Interfaces And All Point-To-Point Filter Identifier. Click OK and you are done.