For the requested stack, zero or more records are returned representing IKE security associations (IKE tunnels) used by IKE to negotiate IPSec security associations (dynamic tunnels) for the given TCP/IP stack. Tunnels are presented in an unordered sequence, except that instances of a particular tunnel family (all sharing the same tunnel ID) are ordered from the most recently activated to the least recently activated. Each record contains the following sections:

• One section, NMsecIKETunnel, describes attributes of the IKE security association. This section contains the following data.

  Table 1. NMsecIKETunnel structure

  Field	Offset	Length	Format	Description
  NMsIKETunIPv6	0, bit 0	1 bit	Binary	IPv6 indicator. If set, the IKE tunnel security endpoints are IPv6 addresses, otherwise they are IPv4
  NMsIKETunNATAllowed	0, bit 1	1 bit	Binary	NAT traversal indicator. If set, the NAT traversal function is enabled for this IKE tunnel.
  NMsIKETunLclNAT	0, bit 2	1 bit	Binary	Local NAT indicator. If set, a NAT has been detected in front of the local security endpoint.
  NMsIKETunRmtNAT	0, bit 3	1 bit	Binary	Remote NAT indicator. If set, a NAT has been detected in front of the remote security endpoint.
  NMsIKETunRmtNAPT	0, bit 4	1 bit	Binary	Remote NAPT indicator. If set, an NAPT has been detected in front of the remote security endpoint. It is possible that an NAPT might exist but that it is detected only as a NAT.
  NMsIKETunCanInitP1	0, bit 5	1 bit	Binary	IKE tunnel (P1) initiation indicator. If this field is set, the local security endpoint can initiate IKE tunnel negotiations with the remote security endpoint; otherwise, the remote security endpoint must initiate IKE tunnel negotiations. Either side can initiate refreshes.
  NMsIKETunFIPS140	0, bit 6	1 bit	Binary	FIPS 140 mode indicator. If this field is set, cryptographic operations for this IKE tunnel are performed using cryptographic algorithms and modules that are designed to meet the FIPS 140 requirements; otherwise, cryptographic algorithms and modules that do not meet the FIPS 140 requirements might be used.
  NMsIKETunRsvd1	0, bit 7	25 bits	Binary	Reserved bits.
  NMsIKETunID	4	48 bytes	EBCDIC	Tunnel ID for this IKE tunnel.
  NMsIKETunKeyExchRule	52	48 bytes	EBCDIC	Key exchange rule name for this IKE tunnel.
  NMsIKETunKeyExchAction	100	48 bytes	EBCDIC	Key exchange action name for this IKE tunnel.
  NMsIKETunLclEndpt4	148	4 bytes	Binary	IPv4 or IPv6 local security endpoint for this IKE tunnel.
  NMsIKETunLclEndpt6	148	16 bytes	Binary
  NMsIKETunRmtEndpt4	164	4 bytes	Binary	IPv4 or IPv6 remote security endpoint for this IKE tunnel.
  NMsIKETunRmtEndpt6	164	16 bytes	Binary
  NMsIKETunICookie	180	8 bytes	Binary	The icookie for this IKE tunnel.
  NMsIKETunRCookie	188	8 bytes	Binary	The rcookie for this IKE tunnel.
  NMsIKETunExchangeMode	196	1 byte	Binary	Tunnel exchange mode. For IKEv1 SAs, the field can have one of the following values: NMsec_IKETUN_EXCHMAIN (2) NMsec_IKETUN_EXCHAGGRESSIVE (4) For IKEv2 SAs, this field is not applicable and the value will be 0.
  NMsIKETunState	197	1 byte	Binary	Tunnel state. The field can have one of the following values: NMsec_SASTATE_PENDING (2) Tunnel is awaiting negotiation. NMsec_SASTATE_INCOMPLETE (3) Tunnel is in negotiation. NMsec_SASTATE_ACTIVE (4) Tunnel is active. NMsec_SASTATE_EXPIRED (5) Tunnel is expired. NMsec_SASTATE_HALF_CLOSED (6) Tunnel is no longer being used by the local endpoint but the delete process has not been acknowledged by the remote endpoint. Applies to IKEv2 tunnels only.
  NMsIKETunAuthAlg	198	1 byte	Binary	Tunnel authentication algorithm. One of the following values: NMsec_AUTH_HMAC_MD5 (38) The tunnel uses HMAC-MD5 authentication with the full 128-bit Integrity Check Value (ICV). This value is applicable only to IKEv1 tunnels. NMsec_AUTH_HMAC_SHA1 (39) The tunnel uses HMAC-SHA1 authentication with the full 160-bit ICV. This value is applicable only to IKEv1 tunnels. NMsec_AUTH_HMAC_MD5_96 (40) The tunnel uses HMAC-MD5 authentication with ICV truncation to 96 bits. This value is applicable only to IKEv2 tunnels. NMsec_AUTH_HMAC_SHA1_96 (41) The tunnel uses HMAC-SHA1 authentication with ICV truncation to 96 bits. This value is applicable only to IKEv2 tunnels. NMsec_AUTH_HMAC_SHA2_256_128 (7) The tunnel uses HMAC-SHA2-256 authentication with ICV truncation to 128 bits. NMsec_AUTH_HMAC_SHA2_384_192 (13) The tunnel uses HMAC-SHA2-384 authentication with ICV truncation to 192 bits. NMsec_AUTH_HMAC_SHA2_512_256 (14) The tunnel uses HMAC-SHA2-512 authentication with ICV truncation to 256 bits. NMsec_AUTH_AES128_XCBC_96 (9) The tunnel uses AES128-XCBC authentication with ICV truncation to 96 bits.
  NMsIKETunEncryptAlg	199	1 byte	Binary	Tunnel encryption algorithm. The field can have one of the following values: NMsec_ENCR_DES (18) NMsec_ENCR_3DES (3) NMsec_ENCR_AES_CBC (12) AES encryption algorithm in Cipher Block Chaining (CBC) mode. Also see the NMsIKETunEncryptKeyLength field, which identifies the key length in use.
  NMsIKETunDHGroup	200	4 bytes	Binary	Diffie-Hellman group used to generate keying material for this IKE tunnel.
  NMsIKETunPeerAuthMethod	204	1 byte	Binary	Tunnel peer authentication method. The field can have one of the following values: NMsec_IKETUN_PRESHAREDKEY (3) NMsec_IKETUN_RSASIGNATURE (2) NMsec_IKETUN_ECDSA_256 (4) NMsec_IKETUN_ECDSA_384 (5) NMsec_IKETUN_ECDSA_521 (6)
  NMsIKETunRole	205	1 byte	Binary	Tunnel role. The field can have one of the following values: NMsec_IKETUN_INITIATOR (1) NMsec_IKETUN_RESPONDER (2)
  NMsIKETunNATTLevel	206	1 byte	Binary	NAT traversal support level. The field can have one of the following values: NMsec_IKETUN_NATTNONE (0) No NAT traversal support; either not configured or not negotiated. NMsec_IKETUN_NATTRFCD2 (1) RFC 3947 draft 2 support. NMsec_IKETUN_NATTRFCD3 (3) RFC 3947 draft 3 support. NMsec_IKETUN_NATTRFC (4) RFC 3947 support with non-z/OS peer. NMsec_IKETUN_NATTZOS (5) RFC 3947 support with z/OS® peer. NMsec_IKETUN_NATTV2 (6) RFC 5996 support with non-z/OS peer. NMsec_IKETUN_NATTV2ZOS (7) RFC 5996 support with z/OS peer.
  NMsIKETunExtState	207	1 byte	Binary	Extended tunnel state information. The field can have one of the following values: NMsec_P1STATE_INIT (0) No key exchange messages have been initiated. NMsec_P1STATE_WAIT_SA (1) The first key exchange message has been sent and the endpoint is waiting for a response. NMsec_P1STATE_IN_KE (2) A key exchange response has been sent. NMsec_P1STATE_WAIT_KE (3) A key exchange message has been sent and the endpoint is waiting for a response. NMsec_P1STATE_DONE (4) All key exchange messages have been completed and the tunnel is available for data traffic. NMsec_P1STATE_EXPIRED (5) Tunnel has exceeded its lifetime or lifesize and is not available for data traffic. NMsec_P1STATE_WAIT_AUTH (6) An SA authorization request is in progress. NMsec_P1STATE_HALF_CLOSED (7) Tunnel is no longer being used by the local endpoint but the delete process has not been acknowledged by the remote endpoint. Applies to IKEv2 tunnels only. See the NMsIKETunState field for more succinct state information.
  NMsIKETunLifesize	208	8 bytes	Binary	Tunnel lifesize. If not 0, indicates the negotiated lifesize limit for the tunnel, in bytes.
  NMsIKETunLifetime	216	4 bytes	Binary	Negotiated tunnel lifetime. Indicates the total number of seconds the tunnel remains active.
  NMsIKETunLifetimeRefresh	220	4 bytes	Binary	Tunnel lifetime refresh. Indicates the time at which the tunnel is refreshed, in UNIX format.
  NMsIKETunLifetimeExpire	224	4 bytes	Binary	Tunnel lifesize expiration. Indicates the time at which the tunnel expires, in UNIX format.
  NMsIKETunRmtUDPPort	228	2 bytes	Binary	Remote UDP port used for IKE negotiations.
  NMsIKETunLIDType	230	1 byte	Binary	ISAKMP identity type for the local security endpoint identity, as defined in RFC 2407. ISAKMP peers exchange and verify each others' identities as part of the IKE tunnel (phase 1) negotiation.
  NMsIKETunRIDType	231	1 byte	Binary	ISAKMP identity type for the remote security endpoint identity, as defined in RFC 2407. ISAKMP peers exchange and verify each others' identities as part of the IKE tunnel (phase 1) negotiation.
  NMsIKETunStartTime	232	4 bytes	Binary	Tunnel start time. Indicates the time at which the tunnel was activated or refreshed, in UNIX format.
  NMsIKETunMajorVer	236	1 byte	Binary	Major version of the IKE protocol that is in use. Only the low-order 4 bits are used.
  NMsIKETunMinorVer	237	1 byte	Binary	Minor version of the IKE protocol that is in use. Only the low-order 4 bits are used.
  NMsIKETunPseudoRandomFunc	238	1 byte	Binary	Pseudo-random function that is used to seed keying material. The field can have one of the following values: NMsec_AUTH_HMAC_MD5 (38) NMsec_AUTH_HMAC_SHA1 (39) NMsec_AUTH_HMAC_SHA2_256 (15) NMsec_AUTH_HMAC_SHA2_384 (16) NMsec_AUTH_HMAC_SHA2_512 (17) NMsec_AUTH_AES128_XCBC (18)
  NMsIKETunLocalAuthMethod	239	1 byte	Binary	The authentication method for the local endpoint. The field can have one of the following values: NMsec_IKETUN_PRESHAREDKEY (3) NMsec_IKETUN_RSASIGNATURE (2) NMsec_IKETUN_ECDSA_256 (4) NMsec_IKETUN_ECDSA_384 (5) NMsec_IKETUN_ECDSA_521 (6) NMsec_IKETUN_DS (7)
  NMsIKETunReauthInterval	240	4 bytes	Binary	Re-authentication interval. Indicates the number of seconds between re-authentication operations.
  NMsIKETunReauthTime	244	4 bytes	Binary	Tunnel re-authentication time. Indicates the time at which the tunnel is re-authenticated, in UNIX format.
  NMsIKETunGeneration	248	4 bytes	Binary	Tunnel generation number. The first IKE tunnel that has a particular tunnel ID is generation 1. Subsequent refreshes of this IKE tunnel will have the same tunnel ID but will have higher generation numbers.
  NMsIKETunEncryptKeyLength	252	4 bytes	Binary	Encryption key length for variable-length algorithms, in bits. This value is 0 for encryption algorithms that have a fixed key length, such as DES and 3DES, and is a nonzero value for encryption algorithms that have a variable key length, such as AES-CBC. Result: Example values are 128 and 256.

• One section, NMsecIKETunStats, indicates various counters and statistics for the IKE tunnel. This section contains the following data.

  Table 2. IKE tunnel statistics

  Field	Offset	Length	Format	Description
  NMsIKETunP2Current	0	4 bytes	Binary	Current count of active dynamic tunnels that are associated with this IKE tunnel.
  NMsIKETunP2InProgress	4	4 bytes	Binary	Current count of pending or in-progress dynamic tunnels that are associated with this IKE tunnel.
  NMsIKETunP2LclActSuccess	8	4 bytes	Binary	Cumulative count of successful dynamic tunnel activations that were initiated locally for this IKE tunnel.
  NMsIKETunP2RmtActSuccess	12	4 bytes	Binary	Cumulative count of successful dynamic tunnel activations that were initiated remotely for this IKE tunnel.
  NMsIKETunP2LclActFailure	16	4 bytes	Binary	Cumulative count of failed dynamic tunnel activations that were initiated locally for this IKE tunnel.
  NMsIKETunP2RmtActFailure	20	4 bytes	Binary	Cumulative count of failed dynamic tunnel activations that were initiated remotely for this IKE tunnel.
  NMsIKETunBytes	24	8 bytes	Binary	Cumulative number of bytes that were protected by this IKE tunnel.
  NMsIKETunP1Rexmit	32	8 bytes	Binary	Cumulative number of retransmitted key exchange (phase 1) messages sent for this tunnel over the life of the IKE daemon. This data is cumulative even across TCP/IP restarts.
  NMsIKETunP1Replay	40	8 bytes	Binary	Cumulative number of replayed key exchange (phase 1) messages received for this tunnel over the life of the IKE daemon. This data is cumulative even across TCP/IP restarts.
  NMsIPIKETunP2Rexmit	48	8 bytes	Binary	Cumulative number of retransmitted QUICKMODE (phase 2) messages sent for this tunnel over the life of the IKE daemon. This data is cumulative even across TCP/IP restarts.
  NMsIPIKEStatsP2Replay	56	8 bytes	Binary	Cumulative number of replayed QUICKMODE (phase 2) messages received for this tunnel over the life of the IKE daemon. This data is cumulative even across TCP/IP restarts.

• One variable-length section contains the contents of the local identity used to negotiate the IKE tunnel. Regardless of the type of the identity, the identity is expressed as an EBCDIC string. An IP address is returned in printable form. A key ID is returned as an EBCDIC string of hex values.
• One variable-length section contains the contents of the remote identity used to negotiate the IKE tunnel. Regardless of the identity's type, it is expressed as an EBCDIC string. An IP address is returned in printable form. A key ID is returned as an EBCDIC string of hex values.