RemoteSecurityEndpoint statement

Use the RemoteSecurityEndpoint statement to encapsulate remote security endpoint IP addresses or hostnames and identity information. This statement defines identity requirements for remote security endpoints with which negotiations for dynamic VPN tunnels are allowed. The statement can also list one or more Certificate Authorities to be used with the allowed security endpoints.

Guideline: The IP address of a remote system is always a public address when the remote security endpoint is behind a NAT device. The NAT device uses the private IP address of the remote security endpoint to choose a public address and replaces it in the IP header.

Syntax

Read syntax diagramSkip visual syntax diagramRemoteSecurityEndpointnamePut Braces and Parameters on Separate Lines
Put Braces and Parameters on Separate Lines
Read syntax diagramSkip visual syntax diagram{RemoteSecurityEndpoint Parameters}
RemoteSecurityEndpoint Parameters
Read syntax diagramSkip visual syntax diagramIdentityIpAddr  authidKeyID Ascii  authidEbcdic  authidHex  authidFqdn  authidUserAtFqdn  authidX500dn  authidRemoteIdentityRef  nameLocationAny4Locationipaddressipaddress/prefixLengthipaddress-ipaddressAnyAny4Any6LocationRef  nameLocationSetRef  nameLocationGroupRef CaLabel  label

Parameters

name
A string 1 - 32 characters in length specifying the name of this RemoteSecurityEndpoint statement.

Rule: If this RemoteSecurityEndpoint statement is not specified inline within another statement, a name value must be provided.

If a name is not specified for an inline RemoteSecurityEndpoint statement, a nonpersistent system name is created.
Identity
The identity of a remote security endpoint with which dynamic VPN tunnel negotiations should be allowed. The RemoteSecurityEndpoint identity supports the same identity types and formats as the LocalSecurityEndpoint identity. In addition, the RemoteSecurityEndpoint identity can be wildcarded to indicate a set of acceptable endpoints.
The following identity types and formats are supported:
IpAddr
Indicates that the authid value is an IP address, for example: 1.2.3.4 or 1::9. This value can be wildcarded as a subnet or range.
The following code is a subnet example: 
1.2.3.0/24 or 1::9/124
The following code is a range example: 
1.2.3.4-1.2.3.100 or 1::0-1::F
KeyID
Indicates that the authid value is an opaque byte stream. This identity type is intended for use with pre-shared key authentication. The ID value can be specified as an ASCII string, an EBCDIC string, or a hexadecimal string. The maximum length for an ASCII or EBCDIC string is 900 characters. The maximum length for a hexadecimal string is 450 bytes. The hexstring must begin with a 0x.
Examples:
KeyID Ascii SharedKeyValue
The value is treated as an ASCII string. This specification is valuable if the key ID is defined to the other endpoint as an ASCII string.
KeyID Ebcdic SharedKeyValue
The value is treated as an EBCDIC string.
KeyID Hex 0xC1C2C3F1F2F3
The value is treated as a hexadecimal string.

The ASCII or EBCDIC KeyID value can be defined as a quoted string or a single value.

Rules:
  • A quoted string must start and end with a double-quote (").
  • A quoted string allows the KeyID value to have embedded blanks for the attribute.
  • If KeyID value is not a quoted string then it as treated as a single value.
Results:
  • Leading blanks and trailing blanks within the quoted string are removed.
  • Within a quoted string, comment indicators, embedded blanks, and additional quotes are treated as part of the value for this attribute.

Restriction: This value is valid only for V1R12 and later releases. See General syntax rules for Policy Agent for details

Restriction: When the value contains embedded blanks, you must specify the entire parameter value within the first 1 536 characters of the configuration file line.

Example KeyID values: 
Identity KeyID Ascii   ASC # comment"  value used:  ASC
Identity KeyID EBCDIC  EBC comment     value used:  EBC
Identity KeyID ASCII   "ASC 98Z"       value used:  ASC 98Z
Identity KeyID EBCDIC  EBC 98Z"        value used:  EBC
Identity KeyID ASCII   "AsC 98Z        value used:  "AsC
Identity KeyID EBCDIC  "Ebc " " Ebc"   value used:  Ebc " " Ebc
Identity KeyID ASCII   "Asc Asc" "     value used:  Asc Asc"
Fqdn
Indicates that the authid value is a fully qualified domain name or host name. For example, vnet.ibm.com. The maximum length accepted is 1024 characters. The Fqdn value cannot begin or end with a dot (.), or contain consecutive dots.

The fqdn value can be wildcarded in the leftmost portion preceding the first period. For example, *.ibm.com is allowed.

The leftmost portion cannot be partially wildcarded. For example, *net.ibm.com is not allowed.

UserAtFqdn
Indicates that the authid value is a user at a fully qualified domain name or host name. The user name cannot contain a blank.

For example, ibm@vnet.ibm.com. The maximum length accepted is 1024 characters. The UserAtFqdn value cannot begin or end with a dot (.), or contain consecutive dots.

The user portion can be wildcarded. For example, *@vnet.ibm.com. Alternatively, the leftmost portion of the fqdn can be wildcarded. For example, *.ibm.com

X500dn
Indicates that the authid value is an X.500 distinguished name (DN). See LocalSecurityEndpoint statement for the DN specification.

The leftmost portion of the DN can be wildcarded. For example, *,OU=endicott,O=ibm,C=US is allowed.

Non-initial RDNs cannot be wildcarded. For example, CN="John Doe",*,O=ibm,C=US is not allowed.

Rule: You can use comment indicators and embedded blanks as part of the value for this attribute. For example: 
Identity X500DN cn=#my  identity 
value used: cn=#my  identity

Restriction: When the value contains embedded blanks, you must specify the entire parameter value within the first 1 536 characters of the configuration file line.

RemoteIdentityRef
The name of a globally defined RemoteIdentity statement that indicates the identity of a remote security endpoint with which dynamic VPN tunnel negotiations should be allowed.

Restriction: This parameter is valid only for V1R10 and later releases. SeeGeneral syntax rules for Policy Agent for details.

Location
ipaddress
A single IP address specification of a remote security endpoint with which dynamic VPN tunnel negotiations should be allowed.

Rule: The IPv6 unspecified address (::0) is not allowed.

ipaddress/prefixLength
A prefix address specification of a range of acceptable remote security endpoint IP addresses. The prefixLength value is the number of unmasked leading bits in the specified IP address and can have a value in the range 0 - 32 for IPv4 addresses and from 0 - 128 for IPv6 addresses.

Rule: The IPv6 unspecified address (::0/128) is not allowed.

ipaddress-ipaddress
A range of IP address specifications of acceptable remote security endpoint addresses for dynamic VPN tunnel negotiations.

Rule: The IPv6 unspecified address (::0-::0) is not allowed.

Any
Specifies all IPv4 addresses. Any and Any4 are interchangeable values.
Any4
Specifies all IPv4 addresses.
Any6
Specifies all IPv6 addresses.

Result: If RemoteSecurityEndpoint is configured then the default value is set to Any4.

LocationRef
The name of a globally defined IPAddr statement for the remote security endpoint with which dynamic VPN tunnel negotiations should be allowed.
LocationSetRef
The name of a globally defined IPAddrSet statement for the remote security endpoint set with which dynamic VPN tunnel negotiations should be allowed.
LocationGroupRef
The name of a globally defined IPAddrGroup statement for the remote security endpoint group with which dynamic VPN tunnel negotiations should be allowed.
Restrictions:
  • You cannot specify a group of IP addresses for a remote security endpoint that is referenced by an IpLocalStartAction statement.
  • This parameter is valid only for V1R10 and later releases. See General syntax rules for Policy Agent for details.
CaLabel
Use CaLabel to indicate which certificate authority the remote security endpoint should use when sending a certificate. Multiple instances of this keyword are permitted, indicating that there may be more than one acceptable certificate authority. The remote security endpoint may choose not to honor the request, in which case the negotiation may fail.
label
A label identifying a portion of a certificate authority hierarchy.
Rule: When IKED is configured to use local certificate services the label specified on the CaLabel parameter must be the label of a certificate authority certificate on the IKE servers key ring. This label must also be specified on the SupportedCertAuth parameter of the IkeConfig statement. See the description of SupportedCertAuth parameter in IkeConfig statement for more information. This label identifies a specific certificate authority that the local security endpoint prefers. For example, consider a certificate hierarchy that consists of a Root CA, a subordinate CA X created by the Root CA, and a subordinate CA Y created by CA X.
  • If the peers certificate should only be issued by the CA Y, then a CaLabel parameter with the label CA Y should be specified.
  • If it is acceptable for the peers certificate to be issued by the CA Y or CA X, then a CaLabel parameter with label CA Y and a second CaLabel parameter with label CA X should be specified.
  • If it is acceptable for the peers certificate to be issued by the Root CA, CA Y or CA X, then multiple CaLabel parameters should be specified, one for each of the acceptable certificate authorities.

Result: When IKED is configured to use local certificate services and no CaLabel parameters are specified, the SupportedCertAuth parameter on the IkeConfig statement provides the list of acceptable certificate authorities that the remote security endpoint should use. See the description of SupportedCertAuth parameter in IkeConfig statement for more information.

Rule: When IKED is configured to use the Network Security Server's certificate services the label specified on the CaLabel parameter must be the label of a certificate authority certificate on the NSSD servers key ring and the stack must be authorized to the EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH profile. This label identifies the start of a sub-hierarchy that the local security endpoint prefers. For example, consider a certificate hierarchy that consists of a Root CA, a subordinate CA X created by the root CA, and a subordinate CA Y created by CA X.
  • If the peers certificate should only be issued by CA Y then a CaLabel parameter with the label of CA Y should be specified.
  • If it is acceptable for the peers certificate to be issued by CA Y or CA X then only a CaLabel parameter with the label of CA X would need to be specified.
  • If it is acceptable for the peers certificate to be issued by the Root CA, CA Y or CA X then only a CaLabel parameter with the label of the Root CA would need to be specified.

Result: When IKED is configured to use the Network Security Servers certificate services and no CaLabel parameters are specified, any certificate authority that has a certificate authority certificate on the NSSD keyring to which the stack is authorized is acceptable for the remote security endpoint to use. The EZB.NSSCERT.sysname.mappedlabelname.CERTAUTH profile is used to authorize a stack to a certificate authority certificate.

Rule: Comment indicators and embedded blanks are treated as part of the value for this attribute. For example: 
CaLabel  Root#CA  Certificate
value used:   Root#CA  Certificate

Restriction: When the value contains embedded blanks, you must specify the entire value within the first 1 536 characters of the configuration file line.