z/OS Communications Server: IP Diagnosis Guide
Previous topic | Next topic | Contents | Contact z/OS | Library | PDF


Overview of diagnosing IKE daemon problems

z/OS Communications Server: IP Diagnosis Guide
GC27-3652-02

This section provides overview information about the z/OS® Internet Key Exchange (IKE) daemon and its functions.

The IKE daemon manages dynamic IPSec tunnels. The IKE daemon is not involved in the filtering, encapsulation, or decapsulation of packets. The IKE daemon is not required for the configuration or use of IP filters.

The critical elements of IP security are security associations (SAs); specifically the information that they provide about the partners of a secure communications channel, and the cryptographic algorithms and keys to be used. The z/OS IKE daemon supports two versions of the Internet Key Exchange: IKE version 1 (IKEv1) and IKE version 2 (IKEv2). The Internet Security Association Key Management protocol (ISAKMP) provides a framework for exchanging messages to automate the negotiation of security associations. The IKEv1 protocol is a hybrid protocol that conforms to the ISAKMP framework and implements a subset of the Oakley and SKEME protocols to negotiate SAs and provide authenticated keying material for SAs in a protected manner. The IKEv2 protocol is very similar to the IKEv1 protocol, in that it also negotiates SAs and provides authenticated keying material for SAs in a protected manner

The z/OS IKE daemon implements the IKE protocol to dynamically establish SAs with peer daemons that also support these protocols. In the sections that follow, a peer daemon might be referred to as an ISAKMP server or ISAKMP peer. Also, the z/OS IKE daemon might be referred to as the IKE daemon or IKED.

The IKE daemon establishes SAs within the guidelines of internet protocol security (IP security) policy. IP security policies are defined in one or more local files that are read by the Policy Agent. The IKE daemon obtains IP security policies from the Policy Agent using the Policy API (PAPI). See z/OS Communications Server: IP Configuration Guide for more information about configuring and starting Policy Agent, as well as defining policies.

The IKE daemon establishes and installs the following types of SAs:
  • A phase 1 SA. For IKEv1, this is known as an ISAKMP SA. For IKEv2, this is known as an IKE SA. Its purpose is to protect communications between IKE peers.
  • A phase 2 SA. For IKEv1, this is known as an IPSec SA. For IKEv2, this is known as a child SA. Its purpose is to protect internet protocol (IP) traffic originating from, destined to, or routed by the z/OS TCP/IP stack.
The IKE daemon installs three primary types of information in the TCP/IP stack:
Phase 2 SAs
The IKE daemon installs established phase 2 SAs in the TCP/IP stack. On z/OS, the phase 2 SA information that is installed in the TCP/IP stack is referred to as a dynamic tunnel.
Dynamic IP filters
When the IKE daemon installs a dynamic tunnel in the TCP/IP stack, it also installs dynamic IP filters that define what IP traffic can be sent or received through the tunnel. The IKE daemon installs one inbound and one outbound dynamic IP filter with each dynamic tunnel.
Phase 1 SAs
For Sysplex-Wide Security Association (SWSA) support, the IKE daemon also installs phase 1 SA information in the TCP/IP stack. This is only done for SAs established using IKEv1. The IKE daemon only installs phase 1 SAs in a stack that is configured for SWSA support using the DVIPSEC keyword. See z/OS Communications Server: IP Configuration Guide for more information about SWSA support. For information about diagnosing SWSA problems, see Steps for diagnosing sysplex-wide security association (SWSA) problems.

Go to the previous page Go to the next page




Copyright IBM Corporation 1990, 2014