NMsIKETunIPv6 |
0, bit 0 |
1 bit |
Binary |
IPv6 indicator. If set, the IKE tunnel security
endpoints are IPv6 addresses, otherwise they are IPv4 |
NMsIKETunNATAllowed |
0, bit 1 |
1 bit |
Binary |
NAT traversal indicator. If set, the NAT traversal
function is enabled for this IKE tunnel. |
NMsIKETunLclNAT |
0, bit 2 |
1 bit |
Binary |
Local NAT indicator. If set, a NAT has been
detected in front of the local security endpoint. |
NMsIKETunRmtNAT |
0, bit 3 |
1 bit |
Binary |
Remote NAT indicator. If set, a NAT has been
detected in front of the remote security endpoint. |
NMsIKETunRmtNAPT |
0, bit 4 |
1 bit |
Binary |
Remote NAPT indicator. If set, an NAPT has
been detected in front of the remote security endpoint. It is possible
that an NAPT might exist but that it is detected only as a NAT. |
NMsIKETunCanInitP1 |
0, bit 5 |
1 bit |
Binary |
IKE tunnel (P1) initiation indicator. If this
field is set, the local security endpoint can initiate IKE tunnel
negotiations with the remote security endpoint; otherwise, the remote
security endpoint must initiate IKE tunnel negotiations. Either side
can initiate refreshes. |
NMsIKETunFIPS140 |
0, bit 6 |
1 bit |
Binary |
FIPS 140 mode indicator. If this field is set,
cryptographic operations for this IKE tunnel are performed using cryptographic
algorithms and modules that are designed to meet the FIPS 140 requirements;
otherwise, cryptographic algorithms and modules that do not meet
the FIPS 140 requirements might be used. |
NMsIKETunRsvd1 |
0, bit 7 |
25 bits |
Binary |
Reserved bits. |
NMsIKETunID |
4 |
48 bytes |
EBCDIC |
Tunnel ID for this IKE tunnel. |
NMsIKETunKeyExchRule |
52 |
48 bytes |
EBCDIC |
Key exchange rule name for this IKE tunnel. |
NMsIKETunKeyExchAction |
100 |
48 bytes |
EBCDIC |
Key exchange action name for this IKE tunnel. |
NMsIKETunLclEndpt4 |
148 |
4 bytes |
Binary |
IPv4 or IPv6 local security endpoint
for this IKE tunnel. |
NMsIKETunLclEndpt6 |
148 |
16 bytes |
Binary |
NMsIKETunRmtEndpt4 |
164 |
4 bytes |
Binary |
IPv4 or IPv6 remote security endpoint
for this IKE tunnel. |
NMsIKETunRmtEndpt6 |
164 |
16 bytes |
Binary |
NMsIKETunICookie |
180 |
8 bytes |
Binary |
The icookie for this IKE tunnel. |
NMsIKETunRCookie |
188 |
8 bytes |
Binary |
The rcookie for this IKE tunnel. |
NMsIKETunExchangeMode |
196 |
1 byte |
Binary |
Tunnel exchange mode. For IKEv1 SAs, the field
can have one of the following values: - NMsec_IKETUN_EXCHMAIN (2)
- NMsec_IKETUN_EXCHAGGRESSIVE (4)
For IKEv2 SAs, this field is not applicable and the value
will be 0.
|
NMsIKETunState |
197 |
1 byte |
Binary |
Tunnel state. The field can have one of the
following values: - NMsec_SASTATE_PENDING (2)
- Tunnel is awaiting negotiation.
- NMsec_SASTATE_INCOMPLETE (3)
- Tunnel is in negotiation.
- NMsec_SASTATE_ACTIVE (4)
- Tunnel is active.
- NMsec_SASTATE_EXPIRED (5)
- Tunnel is expired.
- NMsec_SASTATE_HALF_CLOSED (6)
- Tunnel is no longer being used by the local endpoint but the delete
process has not been acknowledged by the remote endpoint. Applies
to IKEv2 tunnels only.
|
NMsIKETunAuthAlg |
198 |
1 byte |
Binary |
Tunnel authentication algorithm. One of the
following values: - NMsec_AUTH_HMAC_MD5 (38)
- The tunnel uses HMAC-MD5 authentication with the full 128-bit
Integrity Check Value (ICV). This value is applicable only to IKEv1
tunnels.
- NMsec_AUTH_HMAC_SHA1 (39)
- The tunnel uses HMAC-SHA1 authentication with the full 160-bit
ICV. This value is applicable only to IKEv1 tunnels.
- NMsec_AUTH_HMAC_MD5_96 (40)
- The tunnel uses HMAC-MD5 authentication with ICV truncation to
96 bits. This value is applicable only to IKEv2 tunnels.
- NMsec_AUTH_HMAC_SHA1_96 (41)
- The tunnel uses HMAC-SHA1 authentication with ICV truncation to
96 bits. This value is applicable only to IKEv2 tunnels.
- NMsec_AUTH_HMAC_SHA2_256_128 (7)
- The tunnel uses HMAC-SHA2-256 authentication with ICV truncation
to 128 bits.
- NMsec_AUTH_HMAC_SHA2_384_192 (13)
- The tunnel uses HMAC-SHA2-384 authentication with ICV truncation
to 192 bits.
- NMsec_AUTH_HMAC_SHA2_512_256 (14)
- The tunnel uses HMAC-SHA2-512 authentication with ICV truncation
to 256 bits.
- NMsec_AUTH_AES128_XCBC_96 (9)
- The tunnel uses AES128-XCBC authentication with ICV truncation
to 96 bits.
|
NMsIKETunEncryptAlg |
199 |
1 byte |
Binary |
Tunnel encryption algorithm. The field can
have one of the following values: - NMsec_ENCR_DES (18)
- NMsec_ENCR_3DES (3)
- NMsec_ENCR_AES_CBC (12)
- AES encryption algorithm in Cipher Block Chaining (CBC) mode.
Also see the NMsIKETunEncryptKeyLength field, which identifies the
key length in use.
|
NMsIKETunDHGroup |
200 |
4 bytes |
Binary |
Diffie-Hellman group used to generate keying
material for this IKE tunnel. |
NMsIKETunPeerAuthMethod |
204 |
1 byte |
Binary |
Tunnel peer authentication method. The field
can have one of the following values: - NMsec_IKETUN_PRESHAREDKEY (3)
- NMsec_IKETUN_RSASIGNATURE (2)
- NMsec_IKETUN_ECDSA_256 (4)
- NMsec_IKETUN_ECDSA_384 (5)
- NMsec_IKETUN_ECDSA_521 (6)
|
NMsIKETunRole |
205 |
1 byte |
Binary |
Tunnel role. The field can have one of the
following values: - NMsec_IKETUN_INITIATOR (1)
- NMsec_IKETUN_RESPONDER (2)
|
NMsIKETunNATTLevel |
206 |
1 byte |
Binary |
NAT traversal support level. The field can
have one of the following values: - NMsec_IKETUN_NATTNONE (0)
- No NAT traversal support; either not configured or not negotiated.
- NMsec_IKETUN_NATTRFCD2 (1)
- RFC 3947 draft 2 support.
- NMsec_IKETUN_NATTRFCD3 (3)
- RFC 3947 draft 3 support.
- NMsec_IKETUN_NATTRFC (4)
- RFC 3947 support with non-z/OS peer.
- NMsec_IKETUN_NATTZOS (5)
- RFC 3947 support with z/OS® peer.
- NMsec_IKETUN_NATTV2 (6)
- RFC 5996 support with non-z/OS peer.
- NMsec_IKETUN_NATTV2ZOS (7)
- RFC 5996 support with z/OS peer.
|
NMsIKETunExtState |
207 |
1 byte |
Binary |
Extended tunnel state information. The field
can have one of the following values: - NMsec_P1STATE_INIT (0)
- No key exchange messages have been initiated.
- NMsec_P1STATE_WAIT_SA (1)
- The first key exchange message has been sent and the endpoint
is waiting for a response.
- NMsec_P1STATE_IN_KE (2)
- A key exchange response has been sent.
- NMsec_P1STATE_WAIT_KE (3)
- A key exchange message has been sent and the endpoint is waiting
for a response.
- NMsec_P1STATE_DONE (4)
- All key exchange messages have been completed and the tunnel is
available for data traffic.
- NMsec_P1STATE_EXPIRED (5)
- Tunnel has exceeded its lifetime or lifesize and is not available
for data traffic.
- NMsec_P1STATE_WAIT_AUTH (6)
- An SA authorization request is in progress.
- NMsec_P1STATE_HALF_CLOSED (7)
- Tunnel is no longer being used by the local endpoint but the delete
process has not been acknowledged by the remote endpoint. Applies
to IKEv2 tunnels only.
See the NMsIKETunState field for more succinct state
information. |
NMsIKETunLifesize |
208 |
8 bytes |
Binary |
Tunnel lifesize. If not 0, indicates the negotiated
lifesize limit for the tunnel, in bytes. |
NMsIKETunLifetime |
216 |
4 bytes |
Binary |
Negotiated tunnel lifetime. Indicates the total
number of seconds the tunnel remains active. |
NMsIKETunLifetimeRefresh |
220 |
4 bytes |
Binary |
Tunnel lifetime refresh. Indicates the time
at which the tunnel is refreshed, in UNIX format. |
NMsIKETunLifetimeExpire |
224 |
4 bytes |
Binary |
Tunnel lifesize expiration. Indicates the time
at which the tunnel expires, in UNIX format. |
NMsIKETunRmtUDPPort |
228 |
2 bytes |
Binary |
Remote UDP port used for IKE negotiations. |
NMsIKETunLIDType |
230 |
1 byte |
Binary |
ISAKMP identity type for the local security
endpoint identity, as defined in RFC 2407. ISAKMP peers exchange
and verify each others' identities as part of the IKE tunnel (phase
1) negotiation.
|
NMsIKETunRIDType |
231 |
1 byte |
Binary |
ISAKMP identity type for the remote security
endpoint identity, as defined in RFC 2407. ISAKMP peers exchange
and verify each others' identities as part of the IKE tunnel (phase
1) negotiation.
|
NMsIKETunStartTime |
232 |
4 bytes |
Binary |
Tunnel start time. Indicates the time at which
the tunnel was activated or refreshed, in UNIX format. |
NMsIKETunMajorVer |
236 |
1 byte |
Binary |
Major version of the IKE protocol that is in
use. Only the low-order 4 bits are used. |
NMsIKETunMinorVer |
237 |
1 byte |
Binary |
Minor version of the IKE protocol that is in
use. Only the low-order 4 bits are used. |
NMsIKETunPseudoRandomFunc |
238 |
1 byte |
Binary |
Pseudo-random function that is used to seed
keying material. The field can have one of the following values: - NMsec_AUTH_HMAC_MD5 (38)
- NMsec_AUTH_HMAC_SHA1 (39)
- NMsec_AUTH_HMAC_SHA2_256 (15)
- NMsec_AUTH_HMAC_SHA2_384 (16)
- NMsec_AUTH_HMAC_SHA2_512 (17)
- NMsec_AUTH_AES128_XCBC (18)
|
NMsIKETunLocalAuthMethod |
239 |
1 byte |
Binary |
The authentication method for the local endpoint.
The field can have one of the following values: - NMsec_IKETUN_PRESHAREDKEY (3)
- NMsec_IKETUN_RSASIGNATURE (2)
- NMsec_IKETUN_ECDSA_256 (4)
- NMsec_IKETUN_ECDSA_384 (5)
- NMsec_IKETUN_ECDSA_521 (6)
- NMsec_IKETUN_DS (7)
|
NMsIKETunReauthInterval |
240 |
4 bytes |
Binary |
Re-authentication interval. Indicates the number
of seconds between re-authentication operations. |
NMsIKETunReauthTime |
244 |
4 bytes |
Binary |
Tunnel re-authentication time. Indicates the
time at which the tunnel is re-authenticated, in UNIX format. |
NMsIKETunGeneration |
248 |
4 bytes |
Binary |
Tunnel generation number. The first IKE tunnel
that has a particular tunnel ID is generation 1. Subsequent refreshes
of this IKE tunnel will have the same tunnel ID but will have higher
generation numbers. |
NMsIKETunEncryptKeyLength |
252 |
4 bytes |
Binary |
Encryption key length for variable-length algorithms,
in bits. This value is 0 for encryption algorithms that have a fixed
key length, such as DES and 3DES, and is a nonzero value for encryption
algorithms that have a variable key length, such as AES-CBC. Result: Example values are 128 and 256.
|