Use
the KeyExchangePolicy statement to define a key exchange policy.
The Key exchange policy is consulted when creating a phase 1 security
association for a dynamic VPN. The KeyExchangePolicy statement can
contain a combination of references to global KeyExchangeGroup statements,
references to global KeyExchangeRule statements, and inline KeyExchangeRule
statements.
When acting as the responder of an IKE version
1 main mode or an IKE version 2 phase 1 exchange, the IKE daemon continues
negotiation without knowing the identity of the remote endpoint, as
long as the suggested algorithms are supported by the IKE daemon.
Any
SA agreed to before the identity of both parties are known is verified
when the identity of both parties become known. If the SA is not
consistent with the defined key exchange policy, the phase 1 negotiation
fails. If the SA is consistent with the defined key exchange policy,
the phase 1 negotiation continues.
The KeyExchangePolicy statement
can appear in the common IPSec policy file, a stack-specific IPSec
policy file, or both. If it appears in both, Policy Agent only uses
the statement contained in the stack-specific IPSec policy file.
It should appear at most only once in each file. If it appears multiple
times in a file, the last one encountered is used.
Requirement: The
KeyExchangePolicy statement is required to define key exchange policies
to the Policy Agent.
Result: If the KeyExchangePolicy
statement is deleted, then all KeyExchange policies are deleted from
the IKE daemon for the corresponding stack.
Syntax
>>-KeyExchangePolicy--| Put Braces and Parameters on Separate Lines |-><
Put Braces and Parameters on Separate Lines
|--+-{--------------------------------+-------------------------|
+-| KeyExchangePolicy Parameters |-+
'-}--------------------------------'
KeyExchangePolicy Parameters
.-AllowNat--no------. .-NatKeepAliveInterval--20-------. .-LivenessInterval--30-------. .-HowToInitiate--Main-----------.
|----+-------------------+--+--------------------------------+--+----------------------------+--+-------------------------------+----|
'-AllowNat--+-Yes-+-' '-NatKeepAliveInterval--interval-' '-LivenessInterval--interval-' '-HowToInitiate--+-Main-------+-'
'-No--' +-Aggressive-+
+-IKEv2------+
'-DoNot------'
.------------------------------.
V |
|----+-KeyExchangeRule----------+-+----------------------------->
+-KeyExchangeRuleRef name--+
'-KeyExchangeGroupRef name-'
.-BypassIpValidation--No------.
>--+-----------------------------+------------------------------>
'-BypassIpValidation--+-Yes-+-'
'-No--'
.-RevocationChecking -Loose------.
>--+--------------------------------+--------------------------->
'-RevocationChecking--+-None---+-'
+-Loose--+
'-Strict-'
.-CertificateURLLookupPreference--Tolerate-----.
>--+----------------------------------------------+-------------|
'-CertificateURLLookupPreference--+-Allow----+-'
+-Tolerate-+
'-Disallow-'
Parameters
- AllowNat
- Indicates whether negotiations that use NAT traversal techniques
are allowed when the AllowNat parameter is omitted from a KeyExchangeAction statement.
The value Yes indicates that negotiations that use NAT traversal techniques
are allowed when the AllowNat parameter is omitted from a KeyExchangeAction statement.
The value No indicates that negotiations that use NAT traversal techniques
are not allowed when the AllowNat parameter is omitted from a KeyExchangeAction statement.
The default value is No.
Rule: If you change the AllowNat
setting, the change is effective immediately for any new phase 1 security
associations (SAs) that are negotiated. For existing phase 1 SAs,
the change takes effect when the phase 1 SA is refreshed.
Tip: Setting
the AllowNat to No prevents the IKE daemon from sending NAT payloads
or processing received NAT payloads as part of the tunnel negotiation.
In some cases. tunnels traversing one or more NATs can still be activated
even when AllowNat is set to No. However, such tunnels are normally
unusable because of the known incompatibilities between IPsec and
NAT documented in RFC 3715.
- NatKeepAliveInterval
- When the IKE server is behind a NAT device it might need to send
NAT keepalive messages to remote security endpoints. These keepalive
messages must be sent to a remote security endpoint when all of the
following conditions are true:
- IKE is behind a NAT device that dynamically maps IKE's IP address
to a public IP address.
- A phase 1 SA exists with that remote security endpoint.
- No other packets have been sent to that remote security endpoint
within a configured inactivity interval.
The purpose of a NAT keepalive message is to prevent a NAT device
from expiring dynamic NAT mappings. NAT keep alive messages are not
required when no NAT device is in front of the IKE server or when
the NAT device in front of the IKE server statically maps the IKE
servers IP address to a public IP address. - interval
- The configured inactivity interval in seconds. Valid values are
0 or within the range 20-999. A value of 0 indicates that NAT keepalive
messages should never be sent. A value in the range 20 - 999 indicates
the number of seconds of inactivity that triggers the sending of a
NAT keepalive message. The default is 20 seconds.
Rule: A change to the NatKeepAliveInterval
interval is effective immediately for any new timer started. For
existing timers a change takes effect when the timer expires. It
is rescheduled with the new interval value.
Tip: The
following should be considered in defining the interval value for
the NatKeepAliveInterval parameter:
- The KeepAlive timer runs only if there is a NAT device in front
of z/OS®.
- If a static NAT device is in front of z/OS, then a value of 0 should be defined for
the interval.
- If a dynamic NAT device is in front of z/OS, then a value less than the mapping expiration
of the NAT device should be defined.
- LivenessInterval
- When IKE negotiates a security association using IKE version 2
(IKEv2), IKE can perform periodic liveness checks as prescribed in
RFC 5996 to test whether the peer remains active. When traffic was
sent but not received on an IKE SA or any of its associated dynamic
tunnels, IKE initiates a liveness check after the liveness interval
period is exceeded. IKE does this by sending the peer a request to
which the peer is expected to respond. If, after the normal series
of IKE retransmissions, the peer has not responded, the IKE SA and
associated dynamic tunnels are considered non-responsive and are deleted.
See the IkeInitWait
parameter and the
IkeRetries parameter for more information.
The purpose of
the liveness check is to verify whether an IKEv2 peer is still active.
This allows IKE to detect cases such as when a peer has rebooted
or when dynamic tunnels are non-responsive. This allows IKE to re-establish
communications with the peer in a timely manner.
Restriction: This
parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
- interval
- The configured liveness interval in seconds. Valid values are
0 - 20999. A value of 0 indicates that liveness checks should never
be performed. A value in the range 1 - 20999 indicates the number
of seconds of inactivity that triggers the sending of liveness check
request. The default is 30 seconds.
Rule: A change to the LivenessInterval
is effective immediately for any new timer started. For existing
timers a change takes effect when the timer expires. It is rescheduled
with the new interval value.
Results:
- LivenessInterval is used only for IKE version 2 security associations.
This value is ignored for IKE version 1 security associations.
- Liveness checks are performed only when data has been sent over
the IKE SA or dynamic tunnels but not received. If no data is being
either sent or received, then no liveness checks are performed.
- HowToInitiate
- The negotiation mode to use when initiating a KeyExchangeAction
statement does not contain a HowToInitiate parameter. The default
is Main.
Restriction: This parameter is valid only for V1R12
and later releases. See General syntax rules for Policy Agent for details
- Main
- Indicates that IKE version 1 with identity protection is used
when key negotiations are initiated by this system.
- Aggressive
- Indicates that IKE version 1 without identity protection is used
when key negotiations are initiated by this system.
- IKEv2
- Indicates that IKE version 2 is used when key negotiations are
initiated by this system.
- DoNot
- Indicates that the local system cannot initiate a key exchange
negotiation.
- KeyExchangeRule
- An inline specification of a KeyExchangeRule statement to be included
in the policy.
- KeyExchangeRuleRef
- The name of a globally defined KeyExchangeRule statement to be
included in the policy.
- KeyExchangeGroupRef
- The name of a globally defined KeyExchangeGroup statement to be
included in the policy.
- BypassIpValidation
- Indicates whether a check should be made to verify that the remote
peer's identity matches the peer's remote IP address. A value of
Yes indicates the check should be bypassed. A value of No indicates
the check should be enforced. The default is No,
Restriction:The
BypassIpValidation keyword is ignored when the identity of the peer
is not an IPv4 or IPv6 address.
Restriction: This parameter
is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Tip: If
the remote security endpoint is expected to be behind a NAT, specify
a value of Yes.
- CertificateURLLookupPreference
- Indicates hash and URL encoding preference in certificate payloads
and certificate request payloads sent and received.
- Allow
- IKED provides the remote security endpoint with an indication
that it prefers to receive certificate payloads encoded in a hash
and URL format. IKED processes certificate payloads encoded using
a hash and URL format when they are received. IKED attempts to send
certificate payloads using a hash and URL format encoding when the
remote security endpoint indicates a preference to receive certificate
payloads encoded in a hash and URL format.
- Tolerate
- IKED does not provide the remote security endpoint with an indication
that it prefers to receive certificate payloads encoded in a hash
and URL format. IKED processes certificate payloads encoded using
a hash and URL format when they are received. IKED attempts to send
certificate payloads using a hash and URL format encoding when the
remote security endpoint indicates a preference to receive certificate
payloads encoded in a hash and URL format. This is the default value.
- Disallow
- IKED does not provide the remote security endpoint with an indication
that it prefers to receive certificate payloads encoded in a hash
and URL format. IKED ignores certificate payloads encoded using a
hash and URL format when they are received. IKED does not send certificate
payloads using a hash and URL format.
Restriction: This keyword is ignored when
IKE version 1 IKE SAs are negotiated since IKE version 1 does not
support hash and URL encoding of certificate data.
Restriction: This
parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
- RevocationChecking
- Indicates the level of revocation checking to be performed on
a remote security endpoint's certificate and its corresponding certificate
authority certificates. The default is Loose.
- None
- No revocation checking is performed.
- Loose
- Revocation information is checked if available.
- Strict
- Revocation information must be available for all certificates
and is checked for all certificates
Rules:
- Revocation checking is only applicable to digital signature authentication
methods.
- When the mode is Loose and revocation information for a certificate
is unavailable, then that certificate is considered valid.
- When the mode is Strict and revocation information for a certificate
is unavailable, then that certificate is considered invalid.
- When the mode is Strict or Loose and a source of revocation information
checked indicates that a certificate is revoked then the certificate
is considered invalid.
- If a CRL can be obtained using the CRLDistributionPoints extension
and a certificate bundle file, the CRL obtained from the CRLDistributionPoints
extension is used and the CRL in the certificate bundle or certificate
payload is ignored.
- When IKED is configured to use the native IKE daemon certificate
service the RevocationChecking parameter is ignored.
Rule: A CRL received in a certificate payload
is ignored.
Restrictions: - This parameter is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details.
- Certificate revocation lists (CRL) are the only source of revocation
information consulted. The CRL must be identified in the CRLDistributionPoints
extension of the certificate being checked or contained in a certificate
bundle file identified by the remote security endpoint.
- When the CRLDistributionPoints extension is used to retrieve a
CRL at least one distribution point must contain an HTTP URL.
- IKED will only consult a CRL that contain entries for all revocation
reasons.
- The native IKE daemon certificate service does not consult certificate
revocation information when authenticating a digital signature. If
certificate revocation information is consulted then IKED must be
configured as a network security client.