DS8000 Service Documentation Version 6.3.3
VPN network settings
When the customer decides to allow the high speed VPN connection
for serviceability, and there is a firewall in place between the customer
network and the Internet, the firewall must be configured to allow
the HMC to connect to the IBM secure servers. The HMC establishes
connections to the following TCP/IP addresses:
- 207.25.252.196 - IBM® Boulder VPN Server
- 129.42.160.16 - IBM Rochester VPN Server
If using PAcket Filters alone, the HMC or i5/OS must
have a globally routable address (either static of dynamically assigned
by an ISP) and the following protocols and ports must be open to the IBM VPN
Gateways:
- UDP (Port 500)
- ESP (IP Protocol 50)
If using Network Address Translation (NAT or PAT) along with Packet
Filters, the following protocol and ports much be open to the IBM VPN
Gateways:
- UDP (Port 500 and 4500)
In the NAT scenario, UDP Encapsulation is used.
Although the VPN connection is always initiated by the HMC, any firewall within the VPN path must allow traffic for the ports previously mentioned in both directions. Usually this is accomplished by a 'stateful' firewall that opens inbound traffic only if a previous outbound connection has occurred.
Following is an example of how these permissions would be defined,
based on a typical firewall:
access-list Outside_to_DMZ permit esp host 207.25.252.196 host <HMC IP address>
access-list DMZ_to_Outside permit esp host 129.42.160.16 host <HMC IP address>
access-list DMZ_to_Outside permit esp host 207.25.252.196 host <HMC IP address> eq 500
access-list DMZ_to_Outside permit esp host 129.42.160.16 host <HMC IP address> eq 500
access-list DMZ_to_Outside permit esp host 207.25.252.196 host <HMC IP address> eq 4500
access-list DMZ_to_Outside permit esp host 129.42.160.16 host <HMC IP address> eq 4500