z/OS® is typically used to provide a server function. The client initiates the phase 2 Security Association (SA) and data, with z/OS acting in the role of IKE responder and data responder. z/OS provides robust NAT traversal responder support, allowing it to interoperate with a variety of clients.
z/OS can also act as the initiator of the phase 2 SA and data. Potential incompatibilities exist in the following cases, depending on the support that the non-z/OS peer provides:
When z/OS initiates an IKEv2 tunnel mode phase 2 SA, it represents the data that is being protected by the SA with the following addresses:
The phase 2 SA negotiation should succeed if the non-z/OS peer supports receiving a tunnel mode traffic specification that is using these IP addresses.
When initiating this type of phase 2 SA, z/OS represents the data being protected by the SA with the following addresses and values:
The Phase 2 SA negotiation should succeed if the non-z/OS peer supports receiving this specification.
When z/OS initiates this type of phase 2 SA, it does not explicitly include the IP addresses of the data being protected in the negotiation of the SA. This allows the non-z/OS peer to view the protected data in terms of the IP addresses that it understands, the public address of the remote endpoint and the private address of the local endpoint. The phase 2 SA negotiation should be successful.
If data is initiated from z/OS over the SA, the data packet contains the following addresses:
If the non-z/OS peer supports receiving a packet with these IP addresses, the data flow should be successful. When z/OS receives data packets from the non-z/OS peer, z/OS sends packets that contain the IP addresses used by the peer.