Sysplex-Wide Security Associations for IKE version 2

z/OS® V1R13 Communications Server introduces support for IKEv2 in a Sysplex-Wide Security Association (SWSA) environment. SWSA provides better workload balancing for IPSec-protected workloads because it performs the following actions:

Optimally routes new work to the target system and the server application, based on WLM advice
Increases the availability of workloads by routing traffic around failed components
Increases flexibility by adding additional workload in a nondisruptive manner

SWSA distributes the IPSec processing, including cryptography, for a single IPSec Security Association (SA) among systems in a sysplex environment. SWSA also allows workloads with IPSec-protected traffic to use the dynamic virtual IP address (DVIPA) takeover function. You can associate IPSec-protected workloads with DVIPAs that can be recovered by other systems in the case of a failure or planned takeover. IPSec SAs are automatically restarted on another system in the sysplex when a DVIPA takeover occurs.

Support for the Internet Key Exchange version 2 (IKEv2) protocol was provided in z/OS V1R12 Communications Server. The function provided in V1R12 did not include support for SWSA. SAs that were negotiated using the IKEv2 protocol could not be distributed or taken over in a sysplex environment. Starting in z/OS V1R13, SAs protecting IPv4 traffic that is negotiated using the IKEv2 protocol can be distributed and taken over in a sysplex environment.

Restrictions:

All target systems must be at V1R12 or later to participate in workload distribution for traffic over an IKEv2 tunnel.
If the backup stack is on a system that is V1R12 or earlier, the IKE daemon attempts to negotiate a new SA using the IKEv1 protocol. Any SA that has been converted from IKEv2 to IKEv1 will continue to be renegotiated using the IKEv1 protocol for the life of the SA.