To support IPSec with DVIPA takeover and sysplex distributor,
some IKE and IPSec configuration on the primary or distributing host
must be replicated onto all systems that can either serve as a backup
host for a VIPA takeover or a target host for sysplex distributor. This
configuration includes IP Security policy that affects traffic using
distributed DVIPA (from an IKE definition perspective).
- From a stack perspective, all anchor rules that are applicable
to distributed DVIPA traffic must be identical on all systems. In
addition, the ordering of the rules must allow for consistent application
of security policy on all systems.
- To be considered a sysplex-wide SA, the SA negotiated that applies
to DVIPAs must be at a granularity no coarser than host for the local
address. That is, a dynamic SA cannot use a subnet or range that encompasses
a DVIPA address. This rule ensures that on a DVIPA Giveback the SA
can be moved from host to host without concerns about an SA being
applicable to both the backup and primary host simultaneously. If
such a dynamic SA is negotiated, the IPSec traffic using it cannot
be distributed or recovered through the DVIPA takeover support.