Steps for configuring the partner company with NAPT model (host-to-host with IPSec)

The partner company with NAPT model modifies the partner company with NAT model, replacing the NAT device in front of the internal network of each partner company with a NAPT device.

Before you begin

The following statements and concepts are covered in the discussion of this model:

Using wildcard values for the remote port for IKE traffic
NAPT implications for host-to-host dynamic IKE negotiations:
- Local and remote data endpoints
- Local and remote security endpoints
- IKE initiator and responder roles

The partner company model assumed a network topology with both partner companies using public IP addresses in their internal networks. The partner company with NAT model modified the partner company model to include private addressing in the private network of each partner company, with a NAT device in front of each private network. Both NAT devices used static one-to-one address mappings.

The partner company with NAPT model modifies the partner company with NAT model, replacing the NAT device in front of the partner company's internal network with a NAPT device. The NAPT device uses many-to-one address and port mappings. The NAT in front of the z/OS® host continues to use static one-to-one address mappings.

Figure 1 shows the partner company with NAPT topology.

Figure 1. Partner company with NAPT model

Similar to partner company with NAT, but the NAT device in front of PCO2 network is replaced with NAPT device.

The partner company with NAPT model has the same basic security requirements as the partner company with NAT model. One difference is that IPSec protection for Enterprise Extender (EE) traffic has been eliminated from the example. EE traffic is not compatible with the use of NAPT, with or without IPSec protection. For more information, see Enterprise Extender considerations when traversing a NAT.

This example includes only the configuration steps that are impacted by a change from static one-to-one address mappings to NAPT mappings. Configuration statements added or changed for the partner company with NAPT model are shown in bold. The example describes the policy for partner company 1 (PCO1).

For this example, assume you must meet the following requirements to enable network communications from a partner company (PCO2) in an untrusted zone B behind a NAPT (9.4.4.4), over a connected network, to a server on this host that is behind a NAT, using static one-to-one address mapping:

IKE traffic from untrusted zone B is allowed to this host.
Secure FTP traffic (using TLS/SSL) from untrusted zone B is allowed to a secure FTP server running on this host.
FTP traffic from untrusted zone B is allowed to an FTP server running on this host using a dynamic IPSec tunnel with strong authentication.
A dynamic IPSec tunnel for normal FTP control activates for each remote host that initiates an FTP connection (remote activation).
A dynamic IPSec tunnel for normal FTP data activates for each remote host that initiates an FTP data connection (remote activation).
Peers authenticate themselves using the RSA signature method.

Procedure

Starting with the partner company with NAT policy, the following changes need to be made to meet these requirements when there is a NAPT in front of the partner company's internal network (Zone B):

Modify the IpService statements for the IKE traffic to specify a wildcard value for the remote port. The NAPT will update both the IP address and port values of an IKE packet, so that the traffic can no longer be described with a constant value of 500 or 4500.

IpService                      IKE-local-500 
{
  SourcePortRange              500
  DestinationPortRange         0
  Protocol                     UDP
  Direction                    bidirectional
  Routing                      local
  SecurityClass                0
}

IpService                      IKE-local-4500 
{
  SourcePortRange              4500
  DestinationPortRange         0
  Protocol                     UDP
  Direction                    bidirectional
  Routing                      local
  SecurityClass                0
}

Modify the remote data endpoint to reflect the NAPT's single IP address, 9.4.4.4. The remote data endpoint is the partner company's internal network. The z/OS implementation does not require you to code private addresses for the remote endpoint; the network address translated public address should be configured as the remote data endpoint. In this example, the private addresses in the PCO2 internal network (10.2.0.0/16) are translated into the public address 9.4.4.4. Thus, the remote data endpoint is 9.4.4.4.
```
IpAddr    ZoneB
{
   Addr   9.4.4.4
}
```

Modify the remote security endpoint.

RemoteSecurityEndpoint   ZoneB_IKED
{
   Identity      Fqdn  *.PCO2.example.com 
   Location      9.4.4.4
   CaLabel       CA4PartnerCompany
}

Results

A completely configured policy, including all objects and their references, is as follows:

# IpFilterPolicy for secure public server

IpFilterPolicy
{
   PreDecap             off
   IpFilterGroupRef     ZoneB
}
 
KeyExchangePolicy
{
   AllowNat             Yes
   NatKeepAliveInterval 0
   KeyExchangeRuleRef   ZoneB_KeyExRule1
}

###### All re-usable statements follow #######
IpFilterGroup           ZoneB
{
   IpFilterRuleRef      ZoneB-Permitted-traffic
   IpFilterRuleRef      FTPServer-ZoneB  #IPSec-protected
}

######################################
# IpFilterRules                      #
#   defines:                         #
#      data endpoints                #
#      Allowed services              #
#      Actions (permit, deny, ipsec) #
######################################
IpFilterRule            ZoneB-Permitted-traffic
{
   IpSourceAddrRef           PrivateServerAddress
   IpDestAddrRef             ZoneB
   IpServiceRef              IKE-local-500
   IpServiceRef              IKE-local-4500
   IpServiceGroupRef         SecureFTPServer
   IpGenericFilterActionRef  permit-nolog
}

IpFilterRule           FTPServer-ZoneB
{
   IpSourceAddrRef           PrivateServerAddress
   IpDestAddrRef             ZoneB
   IpServiceGroupRef         FTPServer
   IpGenericFilterActionRef  ipsec-nolog
   IpDynVpnActionRef         FTP-vpnaction
}
 
####################
# IpService groups #
####################
IpServiceGroup            FTPServer
{
   IpServiceRef           FTPServer-Control
   IpServiceRef           FTPServer-Data-Passive
}

IpServiceGroup            SecureFTPServer
{
   IpServiceRef           SecureFTPServer-Control
   IpServiceRef           SecureFTPServer-Data-Passive
}

##################################
# Services provided by this host #
##################################

IpService                    IKE-local-500
{
  SourcePortRange            500
  DestinationPortRange       0
  Protocol                   UDP
  Direction                  bidirectional
  Routing                    local
  SecurityClass              0
}

IpService                    IKE-local-4500
{
  SourcePortRange            4500
  DestinationPortRange       0
  Protocol                   UDP
  Direction                  bidirectional
  Routing                    local
  SecurityClass              0
}

IpService                    SecureFTPServer-Control
{
  SourcePortRange            990
  DestinationPortRange       1024 65535
  Protocol                   tcp
  Direction                  bidirectional InboundConnect
  Routing                    local
  SecurityClass              0
}

IpService                    SecureFTPServer-Data-Passive
{
  SourcePortRange            50201 50400
  DestinationPortRange       1024 65535
  Protocol                   tcp
  Direction                  bidirectional InboundConnect
  Routing                    local
  SecurityClass              0
}

IpService                    FTPServer-Control
{
  SourcePortRange            21
  DestinationPortRange       1024 65535
  Protocol                   tcp
  Direction                  bidirectional InboundConnect
  Routing                    local
  SecurityClass              0
}

IpService                  FTPServer-Data-Passive
  {
    SourcePortRange            50000 50200  
    Protocol                   tcp
    Direction                  bidirectional InboundConnect
    Routing                    local
    SecurityClass              0
  }

######################
# Security Endpoints #
######################
LocalSecurityEndpoint  Local_IKED
{
   Identity      Fqdn  Server.PCO1.example.com 
   Location      10.1.1.1
}

RemoteSecurityEndpoint   ZoneB_IKED
{
   Identity      Fqdn   *.PCO2.example.com 
   Location      9.4.4.4
   CaLabel       CA4PartnerCompany
}
                                                                            
##########################
# Generic filter actions #
##########################

IpGenericFilterAction    permit-nolog
{
   IpFilterAction        permit
   IpFilterLogging       no
}

IpGenericFilterAction    ipsec-nolog
{
   IpFilterAction        ipsec
   IpFilterLogging       no
}

##################################
# Key Exchange offers            #
#   defines:                     #
#     Authentication type        #
#     Encryption type            #
#     Peer authentication method #
#     Refresh limits             #
##################################
KeyExchangeOffer RSA-SHA1-3DES-DH2
{
   HowToEncrypt    3DES
   HowToAuthMsgs   SHA1
   HowToAuthPeers  RsaSignature
   DHGroup         Group2
   RefreshLifetimeProposed  480
   RefreshLifetimeAccepted  240 1440
   RefreshLifesizeProposed  none
   RefreshLifesizeAccepted  none
}

##################################
# Key Exchange Actions           #
#  defines:                      #
#    Negotiation mode            #
#    List of Key exchange offers #
##################################
KeyExchangeAction Main-RSA-SHA1-3DES-DH2
{
   HowToInitiate       main
   HowToRespondIKEv1   main
   KeyExchangeOfferRef RSA-SHA1-3DES-DH2
}

######################################
# KeyExchangeRules                   #
#   defines:                         #
#      A pair of security endpoints  #
#      permitted in IKE negotiations #
######################################
KeyExchangeRule              ZoneB_KeyExRule1
{
   LocalSecurityEndpointRef  Local_IKED
   RemoteSecurityEndpointRef ZoneB_IKED
   KeyExchangeActionRef      Main-RSA-SHA1-3DES-DH2
}

############################
# Data Offers              #
#   defines:               #
#      Encapsulation mode  #
#      Authentication type #
#      Encryption type     #
#      Refresh limits      #
############################
### Authenticated offer ###
IpDataOffer TRAN-ESPSHA-NOENCR
{
   HowToEncap   Transport
   HowToEncrypt DoNot
   HowToAuth    ESP HMAC_SHA1
   RefreshLifetimeProposed 240
   RefreshLifetimeAccepted 120 480
   RefreshLifesizeProposed  none
   RefreshLifesizeAccepted  none
}

##############################
# Dynamic VPN Actions        #
#   defines:                 #
#     Initiation role        #
#     Pfs group              #
#     Lifetime of connection #
#     List of Data offers    #
##############################
IpDynVpnAction FTP-vpnaction
{
   Initiation           remoteonly
   InitiateWithPfs      group2
   AcceptablePfs        group2
   VpnLife              1440
   IpDataOfferRef       TRAN-ESPSHA-NOENCR
}


################
# IP addresses #
################

IpAddr    PrivateServerAddress
{
   Addr   10.1.1.1
}

IpAddr    ZoneB
{
   Addr   9.4.4.4
}