I don't recall the details, but IPSEC passthru is flaky.  {art of the reason
is that IPSEC requires unmodified packets to ensure validity.  Well, when
goign through a NAT device, packets are modified, which breaks IPSEC.

I ASSUME passthru handles NAT via passing along the packets eityher
encapsulated or in their correct for and remembers in a table fo some sort
hwo to handle the conenction.  Just a theory.

Main point though is that i read repeatedly how ipsec passthru is flaky.
----- Original Message ----- 
From: "Walden H. Leverich" <WaldenL@xxxxxxxxxxxxxxx>
To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
Sent: Monday, March 01, 2004 12:02 PM
Subject: RE: AS/400 to IBM connection NOT thru line modems


> Nope, last I knew IPSEC passthrough and multi-hop were not the same
> thing. IIRC, it's certain models of Nortel equipment and maybe some
> high-end Cisco's that supported it. IBM wasn't really clear on the
> issue.
>
> -Walden
>
>
> ------------
> Walden H Leverich III
> President & CEO
> Tech Software
> (516) 627-3800 x11
> (208) 692-3308 eFax
> WaldenL@xxxxxxxxxxxxxxx
> http://www.TechSoftInc.com
>
> Quiquid latine dictum sit altum viditur.
> (Whatever is said in Latin seems profound.)
>
> -----Original Message-----
> From: midrange-l-bounces@xxxxxxxxxxxx
> [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Vern Hamberg
> Sent: Monday, March 01, 2004 11:38 AM
> To: Midrange Systems Technical Discussion
> Subject: RE: AS/400 to IBM connection NOT thru line modems
>
> We use the LinkSys VPN router. It has settings to enable IPSEC
> passthrough
> and PPTP passthrough. So do you think that I can set the multihop
> external
> address to that of the router and this should work? The setting is for
> going through another system or LPAR - that sounds like an iSeries that
> is
> live on the Internet. It talks about using a box of some kind on which
> you've set up a connection to IBM.
>
> Would I use the public address of the LinkSys, or the internal one?
>
> Hoping for some fun.
>
> Vern
>
> At 09:45 AM 3/1/2004 -0500, you wrote:
> > >Sort of a horrible requirement not to have it behind a firewall.
> >
> >Technically not a requirement.
> >
> >_IF_ you have a firewall/NAT device that is capable of "L2TP Multihop"
> >it's possible to setup the VPN connection from within the internal
> >network. Technically there is one connection from your iSeries to your
> >firewall and another from the firewall (which has a public IP) to IBM.
> >Of course, almost no one has one of these firewalls. <G>
> >
> >IIRC from beta days, this has to do with IBM's decision to use IPSEC
> and
> >L2TP and not PPTP as the VPN protocol. Since the IP address of the
> >sender (your iSeries) in embedded in the output packet and the entire
> >packet is encrypted there is no way to "fix" the IP address w/o
> >corrupting the outbound packet. Personally I find PPTP "secure enough"
> >at 128-bit encryption to transfer PTFs and phone-home so I think it was
> >a silly decision on Rochester's part. However, I'm not sure they have a
> >choice. It wouldn't surprise me to know that IBM network security won't
> >allow any VPN connection other than IPSEC/L2TP.
> >
> >-Walden
> >
> >
> >------------
> >Walden H Leverich III
> >President & CEO
> >Tech Software
> >(516) 627-3800 x11
> >(208) 692-3308 eFax
> >WaldenL@xxxxxxxxxxxxxxx
> >http://www.TechSoftInc.com
> >
> >Quiquid latine dictum sit altum viditur.
> >(Whatever is said in Latin seems profound.)
> >
> >-----Original Message-----
> >From: midrange-l-bounces@xxxxxxxxxxxx
> >[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Adam Lang
> >Sent: Monday, March 01, 2004 9:03 AM
> >To: Midrange Systems Technical Discussion
> >Subject: Re: AS/400 to IBM connection NOT thru line modems
> >
> >Sort of a horrible requirement not to have it behind a firewall.
> >
> >----- Original Message -----
> >From: "Vern Hamberg" <vhamberg@xxxxxxxxxxxxxxxxxxxxxxxxx>
> >To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx>
> >Sent: Sunday, February 29, 2004 7:09 PM
> >Subject: Re: AS/400 to IBM connection NOT thru line modems
> >
> >
> > > If your release of OS400 is fairly recent (at least V5R1?) and your
> >AS/400
> > > is directly attached to the Internet (i.e., not behind a firewall),
> or
> > > there is another 400 that is outside the firewall and is addressable
> >from
> > > the Internet, there is a Universal Connection setup in Ops Nav that
> >can
> >use
> > > the Internet. A VPN session gets started with some IBM server. Also,
> I
> > > don't know about Espana.
> > >
> > > HTH
> > > Vern
> >
> >_______________________________________________
> >This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> >list
> >To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> >To subscribe, unsubscribe, or change list options,
> >visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> >or email: MIDRANGE-L-request@xxxxxxxxxxxx
> >Before posting, please take a moment to review the archives
> >at http://archive.midrange.com/midrange-l.
> >
> >
> >_______________________________________________
> >This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> list
> >To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> >To subscribe, unsubscribe, or change list options,
> >visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> >or email: MIDRANGE-L-request@xxxxxxxxxxxx
> >Before posting, please take a moment to review the archives
> >at http://archive.midrange.com/midrange-l.
>
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
> list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.


As an Amazon Associate we earn from qualifying purchases.

This thread ...

Replies:

Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.