RemoteSecurityEndpoint statement
Use the RemoteSecurityEndpoint statement to encapsulate remote security endpoint IP addresses or hostnames and identity information. This statement defines identity requirements for remote security endpoints with which negotiations for dynamic VPN tunnels are allowed. The statement can also list one or more Certificate Authorities to be used with the allowed security endpoints.
Guideline: The IP address of a remote system is always a public address when the remote security endpoint is behind a NAT device. The NAT device uses the private IP address of the remote security endpoint to choose a public address and replaces it in the IP header.
Syntax
Parameters
- name
- A
string 1 - 32 characters in length specifying the name of this RemoteSecurityEndpoint
statement.
Rule: If this RemoteSecurityEndpoint statement is not specified inline within another statement, a name value must be provided.
If a name is not specified for an inline RemoteSecurityEndpoint statement, a nonpersistent system name is created. - Identity
- The identity of a remote security endpoint with which dynamic
VPN tunnel negotiations should be allowed. The RemoteSecurityEndpoint
identity supports the same identity types and formats as the LocalSecurityEndpoint
identity. In addition, the RemoteSecurityEndpoint identity can be
wildcarded to indicate a set of acceptable endpoints. The following identity types and formats are supported:
- IpAddr
- Indicates that the authid value is an IP address, for example: 1.2.3.4
or 1::9. This value can be wildcarded as a subnet or range. The following code is a subnet example:
1.2.3.0/24 or 1::9/124
The following code is a range example:1.2.3.4-1.2.3.100 or 1::0-1::F
- KeyID
- Indicates that the authid value is an
opaque byte stream. This identity type is intended for use with pre-shared
key authentication. The ID value can be specified as an ASCII string,
an EBCDIC string, or a hexadecimal string. The maximum length for
an ASCII or EBCDIC string is 900 characters. The maximum length for
a hexadecimal string is 450 bytes. The hexstring must begin with a
0x. Examples:
- KeyID Ascii SharedKeyValue
- The value is treated as an ASCII string. This specification is valuable if the key ID is defined to the other endpoint as an ASCII string.
- KeyID Ebcdic SharedKeyValue
- The value is treated as an EBCDIC string.
- KeyID Hex 0xC1C2C3F1F2F3
- The value is treated as a hexadecimal string.
The ASCII or EBCDIC KeyID value can be defined as a quoted string or a single value.
Rules:- A quoted string must start and end with a double-quote (").
- A quoted string allows the KeyID value to have embedded blanks for the attribute.
- If KeyID value is not a quoted string then it as treated as a single value.
Results:- Leading blanks and trailing blanks within the quoted string are removed.
- Within a quoted string, comment indicators, embedded blanks, and additional quotes are treated as part of the value for this attribute.
Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details
Restriction: When the value contains embedded blanks, you must specify the entire parameter value within the first 1 536 characters of the configuration file line.
Example KeyID values:Identity KeyID Ascii ASC # comment" value used: ASC Identity KeyID EBCDIC EBC comment value used: EBC Identity KeyID ASCII "ASC 98Z" value used: ASC 98Z Identity KeyID EBCDIC EBC 98Z" value used: EBC Identity KeyID ASCII "AsC 98Z value used: "AsC Identity KeyID EBCDIC "Ebc " " Ebc" value used: Ebc " " Ebc Identity KeyID ASCII "Asc Asc" " value used: Asc Asc"
- Fqdn
- Indicates that the authid value is a
fully qualified domain name or host name. For example, vnet.ibm.com.
The maximum length accepted is 1024 characters. The Fqdn value cannot
begin or end with a dot (.), or contain consecutive dots.
The fqdn value can be wildcarded in the leftmost portion preceding the first period. For example, *.ibm.com is allowed.
The leftmost portion cannot be partially wildcarded. For example, *net.ibm.com is not allowed.
- UserAtFqdn
- Indicates that the authid value is a
user at a fully qualified domain name or host name. The user name
cannot contain a blank.
For example, ibm@vnet.ibm.com. The maximum length accepted is 1024 characters. The UserAtFqdn value cannot begin or end with a dot (.), or contain consecutive dots.
The user portion can be wildcarded. For example, *@vnet.ibm.com. Alternatively, the leftmost portion of the fqdn can be wildcarded. For example, *.ibm.com
- X500dn
- Indicates that the authid value is an
X.500 distinguished name (DN). See LocalSecurityEndpoint statement for the
DN specification.
The leftmost portion of the DN can be wildcarded. For example, *,OU=endicott,O=ibm,C=US is allowed.
Non-initial RDNs cannot be wildcarded. For example, CN="John Doe",*,O=ibm,C=US is not allowed.
Rule: You can use comment indicators and embedded blanks as part of the value for this attribute. For example:Identity X500DN cn=#my identity value used: cn=#my identity
Restriction: When the value contains embedded blanks, you must specify the entire parameter value within the first 1 536 characters of the configuration file line.
- RemoteIdentityRef
- The name of a globally defined RemoteIdentity statement that indicates
the identity of a remote security endpoint with which dynamic VPN
tunnel negotiations should be allowed.
Restriction: This parameter is valid only for V1R10 and later releases. SeeGeneral syntax rules for Policy Agent for details.
- Location
-
- ipaddress
- A single IP address specification of a remote security endpoint
with which dynamic VPN tunnel negotiations should be allowed.
Rule: The IPv6 unspecified address (::0) is not allowed.
- ipaddress/prefixLength
- A prefix address specification of a range of acceptable remote
security endpoint IP addresses. The prefixLength value is the number of unmasked leading bits in the specified
IP address and can have a value in the range 0 - 32 for IPv4 addresses
and from 0 - 128 for IPv6 addresses.
Rule: The IPv6 unspecified address (::0/128) is not allowed.
- ipaddress-ipaddress
- A range of IP address specifications of acceptable remote security
endpoint addresses for dynamic VPN tunnel negotiations.
Rule: The IPv6 unspecified address (::0-::0) is not allowed.
- Any
- Specifies all IPv4 addresses. Any and Any4 are interchangeable values.
- Any4
- Specifies all IPv4 addresses.
- Any6
- Specifies all IPv6 addresses.
Result: If RemoteSecurityEndpoint is configured then the default value is set to Any4.
- LocationRef
- The name of a globally defined IPAddr statement for the remote security endpoint with which dynamic VPN tunnel negotiations should be allowed.
- LocationSetRef
- The name of a globally defined IPAddrSet statement for the remote security endpoint set with which dynamic VPN tunnel negotiations should be allowed.
- LocationGroupRef
- The name of a globally defined IPAddrGroup statement for the remote
security endpoint group with which dynamic VPN tunnel negotiations
should be allowed. Restrictions:
- You cannot specify a group of IP addresses for a remote security endpoint that is referenced by an IpLocalStartAction statement.
- This parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
- CaLabel
- Use CaLabel to indicate which certificate authority the remote
security endpoint should use when sending a certificate. Multiple
instances of this keyword are permitted, indicating that there may
be more than one acceptable certificate authority. The remote security
endpoint may choose not to honor the request, in which case the negotiation
may fail.
- label
- A label identifying a portion of a certificate authority hierarchy.
Rule: When IKED is configured to use local certificate services the label specified on the CaLabel parameter must be the label of a certificate authority certificate on the IKE servers key ring. This label must also be specified on the SupportedCertAuth parameter of the IkeConfig statement. See the description of SupportedCertAuth parameter in IkeConfig statement for more information. This label identifies a specific certificate authority that the local security endpoint prefers. For example, consider a certificate hierarchy that consists of a Root CA, a subordinate CA X created by the Root CA, and a subordinate CA Y created by CA X.- If the peers certificate should only be issued by the CA Y, then a CaLabel parameter with the label CA Y should be specified.
- If it is acceptable for the peers certificate to be issued by the CA Y or CA X, then a CaLabel parameter with label CA Y and a second CaLabel parameter with label CA X should be specified.
- If it is acceptable for the peers certificate to be issued by the Root CA, CA Y or CA X, then multiple CaLabel parameters should be specified, one for each of the acceptable certificate authorities.
Result: When IKED is configured to use local certificate services and no CaLabel parameters are specified, the SupportedCertAuth parameter on the IkeConfig statement provides the list of acceptable certificate authorities that the remote security endpoint should use. See the description of SupportedCertAuth parameter in IkeConfig statement for more information.
Rule: When IKED is configured to use the Network Security Server's certificate services the label specified on the CaLabel parameter must be the label of a certificate authority certificate on the NSSD servers key ring and the stack must be authorized to the EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH profile. This label identifies the start of a sub-hierarchy that the local security endpoint prefers. For example, consider a certificate hierarchy that consists of a Root CA, a subordinate CA X created by the root CA, and a subordinate CA Y created by CA X.- If the peers certificate should only be issued by CA Y then a CaLabel parameter with the label of CA Y should be specified.
- If it is acceptable for the peers certificate to be issued by CA Y or CA X then only a CaLabel parameter with the label of CA X would need to be specified.
- If it is acceptable for the peers certificate to be issued by the Root CA, CA Y or CA X then only a CaLabel parameter with the label of the Root CA would need to be specified.
Result: When IKED is configured to use the Network Security Servers certificate services and no CaLabel parameters are specified, any certificate authority that has a certificate authority certificate on the NSSD keyring to which the stack is authorized is acceptable for the remote security endpoint to use. The EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH profile is used to authorize a stack to a certificate authority certificate.
Rule: Comment indicators and embedded blanks are treated as part of the value for this attribute. For example:CaLabel Root#CA Certificate value used: Root#CA Certificate
Restriction: When the value contains embedded blanks, you must specify the entire value within the first 1 536 characters of the configuration file line.