Negotiations can be initiated in one of four ways:
When a remote IKE peer initiates a negotiation with the local IKE daemon, no action is required. If the IP security policy has been configured correctly and is consistent with the policy of the remote IKE peer, a Security Association is established. No operator message is issued when a remote activation has occurred, but the syslog does contain a record of all IKE activity. The ipsec -y display command can also be used to view all of the active Security Associations.
An on-demand Security Association is activated when some outbound traffic matches an ipsec rule that allows on-demand activation. The ondemand field of the filter display indicates whether or not on-demand activation is allowed for that rule.
The local IKE daemon initiates a negotiation for an autoactivated Security Association when it connects to the TCP/IP stack. IKE also initiates a negotiation for an autoactivated Security Association when the ipsec -f reload command is issued, changing the active filter rule set from default IP filter rules to Policy Agent filter rules. No operator message is issued when an autoactivation has occurred, but the syslog does contain a record of all IKE activity. The ipsec -y display command can also be used to view all of the active Security Associations.
The ipsec command can be used as follows to activate a Security Association that has been defined by a LocalDynVpnRule statement:
ipsec -y activate -l ZoneC_VPN-EE1
CS V1R12 ipsec Stack Name: TCPCS Wed Feb 3 16:02:05 2010
Primary: Dynamic tunnel Function: Activate
Selection Data Status
ZoneC_VPN-EE1 Activating
The
output of the command indicates the status of the activation.For detailed information about the use of the ipsec command, see z/OS Communications Server: IP System Administrator's Commands.