0 (X'0') |
|
4 |
Binary |
Common IKE tunnel flags The following list
identifies the bits, their names, and meaning.
- X'80000000', SMF119IS_IKETunIPv6: The IPv6 indicator. If this
bit is set, all IKE tunnel security endpoints are IPv6 addresses.
If this bit is not set, the endpoints are IPv4 addresses.
- X'40000000', SMF119IS_IKETunNATAllowed: NAT traversal indicator.
The NAT traversal function is enabled for this IKE tunnel.
- X'20000000', SMF119IS_IKETunLclNAT: Local NAT indicator. A NAT
has been detected in front of the local security endpoint.
- X'10000000', SMF119IS_IKETunRmtNAT: Remote NAT indicator. A NAT
has been detected in front of the remote security endpoint.
- X'08000000', SMF119IS_IKETunRmtNAPT: Remote NAPT indicator. An
NAPT has been detected in front of the remote security endpoint.
Result: Some NAPTs might be undetected.
In that case, the SMF119IS_IKETunRmtNAT bit is set, but this bit
is not set.
- X'04000000', SMF119IS_IKETunCanInitP1: IKE tunnel (P1) initiation
indicator. The local security endpoint can initiate IKE tunnel negotiations
with the remote security endpoint. If this bit is not set, the remote
security endpoint must initiate IKE tunnel negotiations. Either side
can initiate refreshes.
- X'02000000', SMF119IS_IKETunFIPS140: FIPS 140 mode indicator.
If this field is set, cryptographic operations for this IKE tunnel
are performed using cryptographic algorithms and modules that are
designed to meet the FIPS 140 requirements; otherwise, cryptographic
algorithms and modules that do not meet the FIPS 140 requirements
might be used.
- Remaining bits: Reserved
|
4(X'4') |
SMF119IS_IKETunID |
48 |
EBCDIC |
Tunnel ID for this IKE tunnel. |
52(X'34') |
SMF119IS_IKETunKeyExchRule |
48 |
EBCDIC |
Key exchange rule name for this IKE tunnel. |
100(X'64') |
SMF119IS_IKETunKeyExchAction |
48 |
EBCDIC |
Key exchange action name for this IKE tunnel. |
148(X'94') |
SMF119IS_IKETunLclEndpt4 |
4 |
Binary |
One of the following values: - If SMF119IS_IKETunIPv6 is set, this field is the 16–byte IPv6
local security endpoint for this IKE tunnel.
- If SMF119IS_IKETunIPv6 is clear, this field is the 4–byte IPv4
local security endpoint for this IKE tunnel.
|
148(X'94') |
SMF119IS_IKETunLclEndpt6 |
16 |
Binary |
One of the following values: - If SMF119IS_IKETunIPv6 is set, this field is the 16–byte IPv6
local security endpoint for this IKE tunnel.
- If SMF119IS_IKETunIPv6 is clear, this field is the 4–byte IPv4
local security endpoint for this IKE tunnel.
|
164(X'A4') |
SMF119IS_IKETunRmtEndpt4 |
4 |
Binary |
One of the following values: - If SMF119IS_IKETunIPv6 is set, this field is the 16–byte IPv6
remote security endpoint for this IKE tunnel.
- If SMF119IS_IKETunIPv6 is clear, this field is the 4–byte IPv4
remote security endpoint for this IKE tunnel.
|
164(X'A4') |
SMF119IS_IKETunRmtEndpt6 |
16 |
Binary |
One of the following values: - If SMF119IS_IKETunIPv6 is set, this field is the 16–byte IPv6
remote security endpoint for this IKE tunnel.
- If SMF119IS_IKETunIPv6 is clear, this field is the 4–byte IPv4
remote security endpoint for this IKE tunnel.
|
180(X'B4') |
SMF119IS_IKETunICookie |
8 |
Binary |
The icookie for this IKE tunnel |
188(X'BC') |
SMF119IS_IKETunRCookie |
8 |
Binary |
The rcookie for this IKE tunnel |
196(X'C4') |
SMF119IS_IKETunExchangeMode |
1 |
Binary |
Tunnel exchange mode. For IKEv1 SAs, possible
values are: - SMF119IS_IKETUN_EXCHMAIN (2)
- SMF119IS_IKETUN_EXCHAGGRESSIVE (4)
For IKEv2 SAs, this field is not applicable and is 0.
|
197(X'C5') |
SMF119IS_IKETunState |
1 |
Binary |
Tunnel state. Possible values are: - SMF119IS_SASTATE_DEACT(1): Dynamic tunnel is deactivated. This
value is valid only for record subtype 74.
- SMF119IS_SASTATE_ACTIVE (2): Tunnel is active. This value is
valid only for record subtype 73.
- SMF119IS_SASTATE_EXPIRED (3): Dynamic tunnel is expired. This
value is valid only for record subtype 74.
|
198(X'C6') |
SMF119IS_IKETunAuthAlg |
1 |
Binary |
Tunnel authentication algorithm. Possible values
are: - SMF119IS_AUTH_HMAC_MD5 (38)
The tunnel uses HMAC-MD5 authentication
with the full 128-bit Integrity Check Value (ICV). This value is
applicable only to IKEv1 tunnels.
- SMF119IS_AUTH_HMAC_SHA1 (39)
The tunnel uses HMAC-SHA1 authentication
with the full 160-bit ICV. This value is applicable only to IKEv1
tunnels.
- SMF119IS_AUTH_HMAC_MD5_96 (40)
The tunnel uses HMAC-MD5 authentication
with ICV truncation to 96 bits. This value is applicable only to
IKEv2 tunnels.
- SMF119IS_AUTH_HMAC_SHA1_96 (41)
The tunnel uses HMAC-SHA1 authentication
with ICV truncation to 96 bits. This value is applicable only to
IKEv2 tunnels.
- SMF119IS_AUTH_HMAC_SHA2_256_128 (7)
The tunnel uses HMAC-SHA2-256
authentication with ICV truncation to 128 bits.
- SMF119IS_AUTH_HMAC_SHA2_384_192 (13)
The tunnel uses HMAC-SHA2-384
authentication with ICV truncation to 192 bits.
- SMF119IS_AUTH_HMAC_SHA2_512_256 (14)
The tunnel uses HMAC-SHA2-512
authentication with ICV truncation to 256 bits.
- SMF119IS_AUTH_AES128_XCBC_96 (9)
The tunnel uses AES128-XCBC
authentication with ICV truncation to 96 bits.
|
199(X'C7') |
SMF119IS_IKETunEncryptAlg |
1 |
Binary |
Tunnel encryption algorithm. Possible values
are: |
200(X'C8') |
SMF119IS_IKETunDHGroup |
4 |
Binary |
Diffie-Hellman group used to generate keying
material for this IKE tunnel. |
204('xCC') |
SMF119IS_IKETunPeerAuthMethod |
1 |
Binary |
Tunnel peer authentication method. Possible
values are: - SMF119IS_IKETUN_PRESHAREDKEY (3)
- SMF119IS_IKETUN_RSASIGNATURE (2)
- SMF119IS_IKETUN_ECDSA_256 (4)
- SMF119IS_IKETUN_ECDSA_384 (5)
- SMF119IS_IKETUN_ECDSA_521 (6)
|
205(X'CD') |
SMF119IS_IKETunRole |
1 |
Binary |
Tunnel role. Possible values are: - SMF119IS_IKETUN_INITIATOR (1)
- SMF119IS_IKETUN_RESPONDER (2)
|
206(X'CE') |
SMF119IS_IKETunNATTLevel |
1 |
Binary |
NAT traversal support level. Possible values
are: - SMF119IS_IKETUN_NATTNONE (0): No NAT traversal support; support
is either not configured or not negotiated.
- SMF119IS_IKETUN_NATTRFCD2 (1): RFC 3947 draft 2 support.
- SMF119IS_IKETUN_NATTRFCD3 (3): RFC 3947 draft 3 support.
- SMF119IS_IKETUN_NATTRFC (4): RFC 3947 support with non-z/OS peer.
- SMF119IS_IKETUN_NATTZOS (5): RFC 3947 support with z/OS® peer.
- SMF119IS_IKETUN_NATTV2 (6): IKEv2 NAT traversal support.
- SMF119IS_IKETUN_NATTV2ZOS (7): IKEv2 NAT traversal support with z/OS peer.
|
207(X'CF') |
SMF119IS_IKETunExtState |
1 |
Binary |
Extended tunnel state information. Possible
values are: - SMF119IS_EXTSASTATE_ACTIVATE (1): This value is a new Phase 1
activation. This value is valid only for record subtype 73.
- SMF119IS_EXTSASTATE_REFRESH (2): This value is a Phase 1 refresh.
This value is valid only for record subtype 73.
The following values are valid only for record subtype 74: - SMF119IS_EXTSASTATE_DEACT (3): This tunnel is deactivated (not
as a result of error or negotiation failure).
- SMF119IS_EXTSASTATE_PROPOSAL (4): Negotiation failure; no proposal
matched the current policy.
- SMF119IS_EXTSASTATE_RETRANS (5): Negotiation failure; a retransmit
limit was encountered while negotiating this tunnel.
- SMF119IS_EXTSASTATE_POLICY (6): Negotiation failure; a policy
mismatch other than a proposal mismatch occurred. For example, no
valid KeyExchangeRule value was set.
- SMF119IS_EXTSASTATE_OTHER (7): Negotiation failure; the data in
an ISAKMP packet was not valid, or an internal error occurred.
|
208(X'D0') |
SMF119IS_IKETunLifesize |
8 |
Binary |
Tunnel lifesize. If this value is not 0,
this value indicates the lifesize limit for the tunnel, in bytes.
|
216(X'D8') |
SMF119IS_IKETunLifetime |
4 |
Binary |
Tunnel lifetime. This value indicates the
total number of seconds the tunnel remains active.
|
220(X'DC') |
SMF119IS_IKETunLifetimeRefresh |
4 |
Binary |
Tunnel lifetime refresh. This value indicates
the time at which the tunnel is refreshed (in UNIX format).
|
224(X'E0') |
SMF119IS_IKETunLifetimeExpire |
4 |
Binary |
Tunnel lifetime expiration. This value indicates
the time at which the tunnel expires (in UNIX format).
|
228(X'E4') |
SMF119IS_IKETunRmtUDPPort |
2 |
Binary |
Remote UDP port used for IKE negotiations. |
230(X'E6') |
SMF119IS_IKETunLIDType |
1 |
Binary |
ISAKMP identity type for the local security
endpoint identity, as defined in RFC 2407. ISAKMP peers exchange
and verify identities as part of the IKE tunnel (phase 1) negotiation.
|
231(X'E7') |
SMF119IS_IKETunRIDType |
1 |
Binary |
ISAKMP identity type for the remote security
endpoint identity, as defined in RFC 2407. ISAKMP peers exchange
and verify identities as part of the IKE tunnel (phase 1) negotiation.
|
232(X'E8') |
SMF119IS_IKETunStartTime |
4 |
Binary |
Tunnel start time. Indicates the time at
which the tunnel was activated or refreshed (in UNIX format).
|
236(X'EC') |
SMF119IS_IKETunMajorVer |
1 |
Binary |
Major version of the IKE protocol in use.
Only the low-order 4 bits are used. |
237(X'ED') |
SMF119IS_IKETunMinorVer |
1 |
Binary |
Minor version of the IKE protocol in use.
Only the low-order 4 bits are used. |
238(X'EE') |
SMF119IS_IKETunPseudoRandomFunc |
1 |
Binary |
Pseudo-random function used for seeding keying
material. One of the following values: - SMF119IS_AUTH_HMAC_MD5 (38)
- SMF119IS_AUTH_HMAC_SHA1 (39)
- SMF119IS_AUTH_HMAC_SHA2_256 (15)
- SMF119IS_AUTH_HMAC_SHA2_384 (16)
- SMF119IS_AUTH_HMAC_SHA2_512 (17)
- SMF119IS_AUTH_AES128_XCBC (18)
|
239(X'EF') |
SMF119IS_IKETunLocalAuthMethod |
1 |
Binary |
The authentication method for the local endpoint.
One of the following values: - SMF119IS_IKETUN_PRESHAREDKEY (3)
- SMF119IS_IKETUN_RSASIGNATURE (2)
- SMF119IS_IKETUN_ECDSA_256 (4)
- SMF119IS_IKETUN_ECDSA_384 (5)
- SMF119IS_IKETUN_ECDSA_521 (6)
- SMF119IS_IKETUN_DS (7)
|
240(X'F0') |
SMF119IS_IKETunReauthInterval |
4 |
Binary |
Reauthentication interval. Indicates the number
of seconds between reauthentication operations. |
244(X'F4') |
SMF119IS_IKETunReauthTime |
4 |
Binary |
Tunnel reauthentication time. Indicates the
time at which the tunnel is reauthenticated (in UNIX format). |
248(X'F8') |
SMF119IS_IKETunGeneration |
4 |
Binary |
Tunnel generation number. The first IKE tunnel
with a particular tunnel ID has generation 1. Subsequent refreshes
of this IKE tunnel have the same tunnel ID, but with higher generation
numbers. |
252(X'FC') |
SMF119IS_IKETunEncryptKeyLength |
4 |
Binary |
Encryption key length for variable-length algorithms,
in bits. This value is 0 for encryption algorithms that have a fixed
key length (such as DES and 3DES) and nonzero for encryption algorithms
that have a variable key length (such as AES-CBC). Result: Example values are 128 and 256.
|