In NATT configurations where IKE can act only as the responder, sysplex distribution is possible but the recovery of the Security Associations when the DVIPA moves is not supported. There are two NATT configurations in which IKE can act only as the responder:
For more information about NATT configurations, as well as interoperability considerations, see Configuration scenarios supported for NAT traversal.
When only one client behind a NAPT has negotiated a Security Association, it is not always possible for the server to detect whether one-to-one address translation or many-to-one address port translation (NAPT) is being done. When multiple clients have active Security Associations, the server can detect that port translation is being done. If z/OS® cannot determine that a Security Association is negotiated with a remote peer behind a NAPT, the Security Association is treated as if it is being negotiated with a remote peer using one-to-one address translation.
When IKE is limited to only a responder role, the Security Association must be reestablished by peer initiation. The interoperability considerations for establishing an initial phase 2 Security Association are relevant to the renegotiation of the phase 2 Security Association due to the movement of a DVIPA. For example, a host-to-host UDP-encapsulated tunnel mode Security Association protecting specific protocols or ports that was initially initiated from a non-z/OS client might not be able to be renegotiated when the z/OS system assuming control of the DVIPA initiates the negotiation. In this case, the Security Association must be reestablished by peer initiation.