IPSec is defined by the IPSec Working Group of the IETF. It provides authentication, integrity, and data privacy between any two IP entities. Management of cryptographic keys and security associations can be done manually or dynamically using an IETF-defined key management protocol called Internet Key Exchange (IKE).
There are two versions of the IKE protocol:
- IKE version 1.0 (IKEv1) is defined by RFC 2409, The Internet Key Exchange (IKE), and related RFCs. This is the version that has been supported by z/OS® Communications Server for a number of years.
- IKE version 2.0 (IKEv2) is defined by RFC 5996, Internet Key Exchange Protocol: IKEv2, and related RFCs. Support for IKEv2 is introduced with z/OS V1R12.
With IPSec, you can create virtual private networks (VPN). A VPN
enables an enterprise to extend its private network across a public
network, such as the Internet, through a secure tunnel called a security
association. IPSec VPNs enable the secure transfer of data over the
public Internet for same-business and business-to-business communications,
and protect sensitive data within the enterprise's internal network.
Figure 1. e-business scenarios with virtual private networks
z/OS provides support for IKE and IPSec VPNs, including the following options:
- AH and ESP protocols
- Triple DES for strong encryption
- AES with several choices of mode or key length
- IPSec transport and tunnel mode encapsulation
- IKEv1 and IKEv2 negotiations with support for both aggressive and main mode in IKEv1
- Pre-shared key and digital signature methods of authentication
- NAT traversal (IPv4 only)
For more information about configuring IPSec and VPNs, see IP security.
For more information on using IPSec with Dynamic VIPAs, see Sysplex-Wide Security Associations.