When a Security Association is deleted, all of the information that is stored in the Security Association is deleted from the TCP/IP stack and from the IKED, along with the dynamic filters that were created when the Security Association was created. After deletion, the Security Association is no longer available for use. Traffic that was protected by the old Security Association is denied until a new Security Association is subsequently activated.
When a parent phase 1 Security Association is deactivated, all of the associated phase 2 Security Associations are deleted as well. Be careful when deleting phase 1 Security Associations, because all traffic that uses the Security Association and its associated phase 2 Security Associations are dropped until new Security Associations can be negotiated.
ipsec -k deactivate -a K1
CS V1R12 ipsec Stack Name: TCPCS Tue Feb 16 11:48:04 2010
Primary: IKE tunnel Function: Deactivate
Tunnel ID Status
K1 Deactivating
ipsec -k deactivate -a all
CS V1R12 ipsec Stack Name: TCPCS Tue Feb 16 11:48:04 2010
Primary: IKE tunnel Function: Deactivate
All IKE tunnels Deactivating
ipsec -y deactivate -a Y2
CS V1R12 ipsec Stack Name: TCPCS Tue Feb 16 11:48:04 2010
Primary: Dynamic tunnel Function: Deactivate
Tunnel ID LocalDynVpnRuleName Status
Y2 n/a Deactivating
The n/a in the LocalDynVpnRuleName field indicates that no local dynamic VPN rule name is associated with this Security Association. The Security Association was either remotely activated or was activated on-demand.
ipsec -y deactivate -a all
CS V1R12 ipsec Stack Name: TCPCS Tue Feb 16 11:48:04 2010
Primary: Dynamic tunnel Function: Deactivate
All dynamic tunnels Deactivating
For detailed information about the use of the ipsec command, see z/OS Communications Server: IP System Administrator's Commands.