TCP/IP on IBM i

Question: 
My IBM i system is located behind my firewall and is configured with a private IP address. I want to configure my remote clients to connect to the IBM i system using VPN. Can I do this?

Answer:
The function you are requesting is IPSec using NAT-Traversal (sometimes called Firewall Friendly VPN). While the IBM i system supports this function at V5R2 and V5R3, it does not support this function in a Responder role. However, in most NAT scenarios at V7R1, the IBM i system supports this function as both the Responder and the Initiator role. For more information on this, please look at the NAT compatible IPSec with UDP page.

Back to top

Question: 
The VPN tunnel on my IBM i system is failing to establish with the remote VPN endpoint. How do I troubleshoot this?

Answer:
The initial place to look is the two VPN joblogs. The jobs are named QTOKVPNIKE and QTOVMAN. Both of these jobs run in the QSYSWRK subsystem. VPN provides very good messaging and generally there are messages that will assist you in debugging the problem. Information regarding analyzing these joblogs is found in the Troubleshoot VPN with the VPN job logs page on the IBM i Information Center.

If these joblogs do not provide you with the information you need, then a call to IBM Software Support is in order. The documentation that the Support representatives will need include the following:

1. The previously mentioned joblogs
2. TRCTCPAPP of the VPN server and a comm level trace. To gather this, do the following:
   1. TRCTCPAPP APP(*VPN)
   2. TRCCNN SET(*ON) TRCTYPE(*IP) TRCTBL(VPN_TRCCNN) SIZE(200 *MB)
   3. Recreate the problem
   4. TRCTCPAPP APP(*VPN) SET(*OFF)
   5. TRCCNN SET(*OFF) TRCTBL(VPN_TRCCNN)
3. Four spool files should be generated for your interactive job. These are the traces that Support will require to debug the VPN problem.

General VPN troubleshooting documentation can be found in the Troubleshoot VPN page in the IBM i Information Center.

Back to top

Question: 
What encryption algorithms does IBM i VPN use to encrypt my confidential data?

Answer:
VPN uses Data Encryption Standard (DES), triple-DES (3DES), Advanced Encryption Standard (AES) for encryption; and SHA, MD5, AES-XCBC-MAC, or HMAC-SHA-256 for packet authentication/integrity checking. More information on this can be found in the Encapsulating Security Payload page.

Back to top

Question: 
What new functions are available for VPN at V7R1?

Answer:
Support for IKEv2 was added.
Support for authentication algorithms AES-XCBC-MAC & HMAC-SHA-256 was added.

Back to top

Question: 
I do not know where to start in getting my VPN link setup, Please help!

Answer:
There is a VPN Planning Advisor available in our InfoCenter. This will provide you with a basic understanding of the information you will need to configure VPN on your IBM i system.

Back to top

Question: 
When I try to start or stop a connection from the Virtual Private Networking configuration window, I see an "Unable to start the connection" or an "Unable to stop the connection" error message. Why is this happening?

Answer:
The most likely problem is due to differences in configuration on the local and remote systems. From the Virtual Private Networking configuration window, select the "Active Connections" option from the "View" menu. If the Active Connections Monitor shows your connection, look at its "Status" column. If your connection has an "Error" status, right-click on the connection, and select "View Error Information." This will provide you with information on what went wrong when you attempted to establish the connection. The same information can be viewed by displaying the job log. (Command: WRKACTJOB JOB(QTOKVPNIKE) then entering a 5 and selecting option 10.)

Back to top

Question: 
All of the AH and ESP keys configured in my Manual Connections and all of my preshared keys do not display when I attempt to view them through the Virtual Private Networking configuration window. Where have they gone?

Answer:
From a 5250 telnet session to the IBM i system, issue the command "DSPSYSVAL SYSVAL(QRETSVRSEC)" and examine the "Retain server security data" value. The QRETSVRSEC system value must be set to '1' in order to retain the preshared keys. (Command "CHGSYSVAL SYSVAL(QRETSVRSEC) VALUE('1').") Please note that all keys will have to be re-configured or restored, however by setting and leaving the QRETSRVSEC system value at 1, all key information will be saved.

Back to top

Question: 
Under "TCP/IP Settings" in my L2TP profile, I selected "Dynamically assign" for my remote IP address. Why does this IP address always appear exactly the same?

Answer:
When setting up an L2TP profile, if you are going to select "Dynamically assign" for your remote IP address, you must first make sure that the IP address field is cleared. If there is a static IP address in this field, then it will be the one that is used. This step will be necessary unless you have installed Client Access Service Pack 2.

Back to top

Question: 
I configured a dynamic connection with a PPP endpoint, and when I select start, I am unable to establish a connection..."Why am I unable to establish a connection with a PPP endpoint?"

Answer:
Connections with a PPP endpoint must be autostarted (started when TCP/IP is started). To autostart a connection, right-click on the dynamic key connection, and view its properties. Then select the "Start Automatically" checkbox located on the "General" tab.

Back to top

Question: 
When using a tunnel protected by dynamic keys between the IBM i system and a Cisco router, it seems as though after a while, the IBM i system is discarding datagrams received through the tunnel. How can I maintain two-way traffic through the tunnel?

Answer:
When setting up a connection with a Cisco router, configure your connection name to end with the letters "NOREPLAY". This will tell the IBM i system not to discard incoming datagrams that appear to be replayed datagrams. Also note that there is a known problem with Cisco router model 7504 running version 12.0(3)T and dynamic connections (protected by IKE keys) utilizing anti-replay features. Manual connections through this same router may also experience similar problems. Check with Cisco for information on resolving this issue as a fix may already be available.

Back to top

Question: 
I am attempting to configure a VPN on a Japanese Katakana based IBM i system. Why can't I view or start some of the configured VPN connections?

Answer:
This may be due to the use of lower case letters when naming VPN configuration objects via Navigator for i. There currently is a restriction for using lower case letters when configuring a VPN on an IBM i system with a configured Coded Character Set Identifier (CCSID) of 5026 (Japan Katakana, extended range). Click here for details.

Back to top