The following sample shows a complete IP security policy allowing connections from a secure server (9.1.1.1) to an administrative machine (9.1.1.2) on an internal network. It represents the absolute minimum number of items that need to be configured for the IKED to provide IPSec protection with dynamic key management between two hosts.
This IP security policy allows IKE negotiations in the clear (UDP, port 500 traffic), while authenticating and encrypting all other traffic using the ESP IPSec protocol. The policy relies almost exclusively on the z/OS® IP security policy defaults, including MD5 and DES for the phase 1 Security Association and ESP/MD5 ESP/DES for the phase 2 Security Association. For a complete description of IP security policy configuration statements and their defaults, see z/OS Communications Server: IP Configuration Reference.
#-------------------------------------------------------
# Quick-Start IP Security policy
#-------------------------------------------------------
IpFilterPolicy
{
PreDecap off
FilterLogging on
AllowOnDemand yes
IpFilterRule QuickStartRule1
{
IpSourceAddr 9.1.1.1
IpDestAddr 9.1.1.2
IpService
{
SourcePortRange 500
DestinationPortRange 500
Protocol udp
Direction bidirectional
Routing local
}
IpGenericFilterActionRef permit
}
IpFilterRule QuickStartRule2
{
IpSourceAddr 9.1.1.1
IpDestAddr 9.1.1.2
IpService
{
Direction bidirectional
Routing local
}
IpGenericFilterActionRef ipsec
IpDynVpnActionRef TransportMode
}
}
KeyExchangePolicy
{
KeyExchangeRule QuickStart_KeyExRule
{
LocalSecurityEndpoint
{
Identity IpAddr 9.1.1.1
Location 9.1.1.1
}
RemoteSecurityEndpoint
{
Identity IpAddr 9.1.1.2
Location 9.1.1.2
}
KeyExchangeActionRef QuickStart_KeyExAction
SharedKey Ascii TheEagleHasLanded
}
}
#-------------------------------------------------------
# Reusable actions
#-------------------------------------------------------
IpGenericFilterAction permit
{
IpFilterAction permit
}
IpGenericFilterAction ipsec
{
IpFilterAction ipsec
IpFilterLogging yes LogDeny
}
KeyExchangeAction QuickStart_KeyExAction
{
KeyExchangeOffer
{
HowToAuthPeers PreSharedKey
}
}
IpDynVpnAction TransportMode
{
IpDataOffer
{
HowToEncap transport
}
}
For all IKE negotiations, there must be a corresponding and consistent configuration on the remote host. In this case, if the remote system is running with z/OS IP security, the corresponding policy for the remote system can be generated merely by transposing all instances of local and remote IP addresses.