Quick start using IP filtering and IPSec host-to-host

The following sample shows a complete IP security policy allowing connections from a secure server (9.1.1.1) to an administrative machine (9.1.1.2) on an internal network. It represents the absolute minimum number of items that need to be configured for the IKED to provide IPSec protection with dynamic key management between two hosts.

Tip: You can modify the quick start sample for IPv6 by replacing all IPv4 addresses with IPv6 addresses.

This IP security policy allows IKE negotiations in the clear (UDP, port 500 traffic), while authenticating and encrypting all other traffic using the ESP IPSec protocol. The policy relies almost exclusively on the z/OS® IP security policy defaults, including MD5 and DES for the phase 1 Security Association and ESP/MD5 ESP/DES for the phase 2 Security Association. For a complete description of IP security policy configuration statements and their defaults, see z/OS Communications Server: IP Configuration Reference.

#-------------------------------------------------------
# Quick-Start IP Security policy
#-------------------------------------------------------
IpFilterPolicy
{
  PreDecap                     off
  FilterLogging                on
  AllowOnDemand                yes

  IpFilterRule                 QuickStartRule1
  {
    IpSourceAddr               9.1.1.1
    IpDestAddr                 9.1.1.2
    IpService
    {
      SourcePortRange          500
      DestinationPortRange     500
      Protocol                 udp
      Direction                bidirectional
      Routing                  local
    }
    IpGenericFilterActionRef   permit
  }

  IpFilterRule                 QuickStartRule2
  {
    IpSourceAddr               9.1.1.1
    IpDestAddr                 9.1.1.2
    IpService
    {
      Direction                bidirectional
      Routing                  local
    }
    IpGenericFilterActionRef   ipsec
    IpDynVpnActionRef          TransportMode
  }
}

KeyExchangePolicy
{
  KeyExchangeRule              QuickStart_KeyExRule
  {
     LocalSecurityEndpoint
     {
       Identity                IpAddr 9.1.1.1
       Location                9.1.1.1
     }
     RemoteSecurityEndpoint
     {
       Identity                IpAddr 9.1.1.2
       Location                9.1.1.2
     }
    KeyExchangeActionRef       QuickStart_KeyExAction
    SharedKey                  Ascii TheEagleHasLanded
  }
}

#-------------------------------------------------------
# Reusable actions
#-------------------------------------------------------
IpGenericFilterAction    permit
{
  IpFilterAction         permit
}

IpGenericFilterAction    ipsec
{
  IpFilterAction         ipsec
  IpFilterLogging        yes LogDeny
}

KeyExchangeAction        QuickStart_KeyExAction
{
  KeyExchangeOffer
  {
    HowToAuthPeers       PreSharedKey
  }
}

IpDynVpnAction           TransportMode
{
  IpDataOffer
  {
    HowToEncap           transport
  }
}

For all IKE negotiations, there must be a corresponding and consistent configuration on the remote host. In this case, if the remote system is running with z/OS IP security, the corresponding policy for the remote system can be generated merely by transposing all instances of local and remote IP addresses.

Parent topic: IP security policy configuration