« Why is something so slow over a VPN connection?
Troubles with Flash on Vista »

Configuring your firewall to allow System i VPN traffic for ESA

21. March, 2007

Electronic Service Agent supports VPN connections with NAT pass through since i5/OS V5R4 (there was a “beta”-version of this in later i5/OS V5R3 CUM-Packages, earlier versions, like OS/400 V5R2 didn’t support VPN connections for ESA). Ensuring that your System i (or iSeries, or AS/400) can communicate with IBM is necessary if you have a HW-Maintenance or SW-Maintenance contract.

Now, if you want to allow this traffic through a firewall, you will see that IBM doesn’t exactly document this too much.

Generally, you will need to allow these things from your System i:

  • Outgoing ICMP echo request (PING)
  • Outgoing UDP traffic to Ports 500 and 4500
  • Outgoing ESP packets (Protocol 50)
  • Accept incoming packets from established connections

If that’s to broad for you, you can restrict the above traffic to these two IP adresses:

  • Boulder: 207.25.252.196
  • Rochester: 129.42.160.16

Note that these IP Adresses may change in the future.

Category: IBM i, Networking, POWER  |  Comment (RSS)  |  Trackback

Leave a comment