|
"conduit permit esp host outside_ip_address host IBMsrv" "conduit permit udp host outside_ip_address eq isakmp host IBMsrv"
I don't know how a little company like ours gets on the bleeding edge of _anything_ but here we go again.
We spent many month getting the IBM Universal Connection ("UC") working. Had an open call with Rochester and talked many times to "Shawn" who was, and still is, extremely helpful. The IUC was fairly new, our setup wasn't directly addressed, but after some real improvements on IBM's part, we got it going.
We recently installed a Cisco PIX firewall, also using it for VPN. Worked great. I can VPN in from home from the laptop or desktop via the Cisco VPN Client and can see the LAN, etc, etc, etc. But at that point the UC quit working. That was because IBM did not yet have the ability to do a direct connect through a firewall.
Now they do. The Router Guy came in, redirected a couple ports per IBM instructions, and lo and behold, the UC now works. And immediately, I could no longer connect via the VPN Client.
What is happening is one of the redirected ports is IPSEC. The PIX is waiting for that piece of the transaction, but it has already forwarded it to the iSeries, so it never completes the VPN connection. (As I understand it. I know only enough to be dangerous in this area.)
I called Rochester and talked to Shawn. He indicated there would probably be no Knowledge Base Docs as this is too new (Oh thanks. <g>) He offered 2 suggestions for the PIX config: 1) Treat incoming and outgoing differently as the UC connections originate in the iSeries while VPN Client connections originate from outside, or 2) redirect those ports mentioned earlier to the iSeries _only_ if the incoming traffic is from IBM Boulder. He thought option 2 was better.
I'm posting this because the Router Guy costs $125/hr in 15-minute increments and I'd like to have something to suggest to him before he starts. <g> Anybody already done this?
Thanks.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.