|
I don't recall the details, but IPSEC passthru is flaky. {art of the reason is that IPSEC requires unmodified packets to ensure validity. Well, when goign through a NAT device, packets are modified, which breaks IPSEC. I ASSUME passthru handles NAT via passing along the packets eityher encapsulated or in their correct for and remembers in a table fo some sort hwo to handle the conenction. Just a theory. Main point though is that i read repeatedly how ipsec passthru is flaky. ----- Original Message ----- From: "Walden H. Leverich" <WaldenL@xxxxxxxxxxxxxxx> To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx> Sent: Monday, March 01, 2004 12:02 PM Subject: RE: AS/400 to IBM connection NOT thru line modems > Nope, last I knew IPSEC passthrough and multi-hop were not the same > thing. IIRC, it's certain models of Nortel equipment and maybe some > high-end Cisco's that supported it. IBM wasn't really clear on the > issue. > > -Walden > > > ------------ > Walden H Leverich III > President & CEO > Tech Software > (516) 627-3800 x11 > (208) 692-3308 eFax > WaldenL@xxxxxxxxxxxxxxx > http://www.TechSoftInc.com > > Quiquid latine dictum sit altum viditur. > (Whatever is said in Latin seems profound.) > > -----Original Message----- > From: midrange-l-bounces@xxxxxxxxxxxx > [mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Vern Hamberg > Sent: Monday, March 01, 2004 11:38 AM > To: Midrange Systems Technical Discussion > Subject: RE: AS/400 to IBM connection NOT thru line modems > > We use the LinkSys VPN router. It has settings to enable IPSEC > passthrough > and PPTP passthrough. So do you think that I can set the multihop > external > address to that of the router and this should work? The setting is for > going through another system or LPAR - that sounds like an iSeries that > is > live on the Internet. It talks about using a box of some kind on which > you've set up a connection to IBM. > > Would I use the public address of the LinkSys, or the internal one? > > Hoping for some fun. > > Vern > > At 09:45 AM 3/1/2004 -0500, you wrote: > > >Sort of a horrible requirement not to have it behind a firewall. > > > >Technically not a requirement. > > > >_IF_ you have a firewall/NAT device that is capable of "L2TP Multihop" > >it's possible to setup the VPN connection from within the internal > >network. Technically there is one connection from your iSeries to your > >firewall and another from the firewall (which has a public IP) to IBM. > >Of course, almost no one has one of these firewalls. <G> > > > >IIRC from beta days, this has to do with IBM's decision to use IPSEC > and > >L2TP and not PPTP as the VPN protocol. Since the IP address of the > >sender (your iSeries) in embedded in the output packet and the entire > >packet is encrypted there is no way to "fix" the IP address w/o > >corrupting the outbound packet. Personally I find PPTP "secure enough" > >at 128-bit encryption to transfer PTFs and phone-home so I think it was > >a silly decision on Rochester's part. However, I'm not sure they have a > >choice. It wouldn't surprise me to know that IBM network security won't > >allow any VPN connection other than IPSEC/L2TP. > > > >-Walden > > > > > >------------ > >Walden H Leverich III > >President & CEO > >Tech Software > >(516) 627-3800 x11 > >(208) 692-3308 eFax > >WaldenL@xxxxxxxxxxxxxxx > >http://www.TechSoftInc.com > > > >Quiquid latine dictum sit altum viditur. > >(Whatever is said in Latin seems profound.) > > > >-----Original Message----- > >From: midrange-l-bounces@xxxxxxxxxxxx > >[mailto:midrange-l-bounces@xxxxxxxxxxxx] On Behalf Of Adam Lang > >Sent: Monday, March 01, 2004 9:03 AM > >To: Midrange Systems Technical Discussion > >Subject: Re: AS/400 to IBM connection NOT thru line modems > > > >Sort of a horrible requirement not to have it behind a firewall. > > > >----- Original Message ----- > >From: "Vern Hamberg" <vhamberg@xxxxxxxxxxxxxxxxxxxxxxxxx> > >To: "Midrange Systems Technical Discussion" <midrange-l@xxxxxxxxxxxx> > >Sent: Sunday, February 29, 2004 7:09 PM > >Subject: Re: AS/400 to IBM connection NOT thru line modems > > > > > > > If your release of OS400 is fairly recent (at least V5R1?) and your > >AS/400 > > > is directly attached to the Internet (i.e., not behind a firewall), > or > > > there is another 400 that is outside the firewall and is addressable > >from > > > the Internet, there is a Universal Connection setup in Ops Nav that > >can > >use > > > the Internet. A VPN session gets started with some IBM server. Also, > I > > > don't know about Espana. > > > > > > HTH > > > Vern > > > >_______________________________________________ > >This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing > >list > >To post a message email: MIDRANGE-L@xxxxxxxxxxxx > >To subscribe, unsubscribe, or change list options, > >visit: http://lists.midrange.com/mailman/listinfo/midrange-l > >or email: MIDRANGE-L-request@xxxxxxxxxxxx > >Before posting, please take a moment to review the archives > >at http://archive.midrange.com/midrange-l. > > > > > >_______________________________________________ > >This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing > list > >To post a message email: MIDRANGE-L@xxxxxxxxxxxx > >To subscribe, unsubscribe, or change list options, > >visit: http://lists.midrange.com/mailman/listinfo/midrange-l > >or email: MIDRANGE-L-request@xxxxxxxxxxxx > >Before posting, please take a moment to review the archives > >at http://archive.midrange.com/midrange-l. > > > _______________________________________________ > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing > list > To post a message email: MIDRANGE-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/midrange-l > or email: MIDRANGE-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/midrange-l. > > > _______________________________________________ > This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list > To post a message email: MIDRANGE-L@xxxxxxxxxxxx > To subscribe, unsubscribe, or change list options, > visit: http://lists.midrange.com/mailman/listinfo/midrange-l > or email: MIDRANGE-L-request@xxxxxxxxxxxx > Before posting, please take a moment to review the archives > at http://archive.midrange.com/midrange-l.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact copyright@midrange.com.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.