IKE tunnel (-k) primary option report field descriptions

For more information about the header, see The ipsec command report heading.

TunnelID

The ID that uniquely defines the IKE tunnel. In this example, TunnelID has the value K (for IKE) followed by an arbitrary positive integer that was assigned by the system when the tunnel was defined. This is the name to use when specifying an ipsec command selection criteria using the -a option.

Generation

This number is used to differentiate SAs for the same tunnel. The first SA that is created for a given tunnel is number 1.

IKEVersion

Specifies the IKE major and minor version that is used to negotiate the tunnel. Possible values are:

1.x: IKE version 1
2.x: IKE version 2

KeyExchangeRuleName: The name of the KeyExchangeRule statement that was used to define and control the characteristics of the IKE tunnel. The KeyExchangeRuleName value is established at the time the IKE tunnel is established.

KeyExchangeActionName: The name of the KeyExchangeAction statement that was used to initiate the IKE tunnel. The KeyExchangeActionName value is established at the time the IKE tunnel is established.

LocalEndpoint: The local security endpoint address of the IKE tunnel.

LocalIDType

Specifies the type of the local identity. Possible values are:

ID_IPV4_ADDR: An IPv4 address.

ID_IPV6_ADDR: An IPv6 address.

ID_FQDN: A fully qualified domain name.

ID_USER_FQDN: A user at a fully qualified domain name.

ID_DER_ASN1_DN: An X.500 distinguished name.

ID_KEY_ID: A vendor-specific value used to perform certain proprietary forms of identification.

LocalID: Specifies the value of the local identity.

Restriction: If the LocalIDType value is ID_KEY_ID, the LocalID value is truncated to avoid spanning multiple lines on a typical display device. An ellipsis is appended to this value to indicate that it was truncated. To display the entire value, use the wide (-r wide) display format.

RemoteEndpoint: The remote security endpoint address of the IKE tunnel.

RemoteIDType

Specifies the type of the remote identity. Possible values are:

ID_IPV4_ADDR: An IPv4 address.

ID_IPV6_ADDR: An IPv6 address.

ID_FQDN: A fully qualified domain name.

ID_USER_FQDN: A user at a fully qualified domain name.

ID_DER_ASN1_DN: An X.500 distinguished name.

ID_KEY_ID: A vendor-specific value used to perform certain proprietary forms of identification.

RemoteID: Specifies the value of the remote identity.

Restriction: If the RemoteIDType value is ID_KEY_ID, then the RemoteID value is truncated to avoid spanning multiple lines on a typical display device. An ellipsis is appended to this value to indicate that it was truncated. To display the entire value, use the wide (-r wide) display format.

ExchangeMode: The exchange mode used to negotiate the IKE tunnel. Possible values for an IKEv1 tunnel are Aggressive or Main. This field is supported for IKEv1 tunnels only and is always set to n/a for IKEv2 tunnels.

State

The state of the tunnel with respect to the negotiation that occurs during activation.

Possible values for an IKEv1 tunnel are:

INIT: Indicates that no key exchange messages have been initiated.

WAIT SA: Indicates that the first key exchange message has been sent and the endpoint is waiting for a response.

IN KE: Indicates that a key exchange response has been sent.

WAIT KE: Indicates that a key exchange message has been sent and that the endpoint is waiting for a response.

DONE: Indicates that all key exchange messages have been completed and that the tunnel is available for data traffic.

EXPIRED: Indicates that tunnel has exceeded its lifetime and is not available for data traffic.

Possible values for an IKEv2 tunnel are:

INIT: Indicates that no key exchange messages have been initiated.

WAIT KE: Indicates that an SA Init request is in progress.

WAIT AUTH: Indicates that an SA Auth request is in progress.

DONE: Indicates that all key exchange messages have been completed and that the tunnel is available for data traffic.

HALF-CLOSED: Indicates that the tunnel is in the process of closing.

EXPIRED: Indicates that tunnel has exceeded its lifetime and is not available for data traffic.

AuthenticationAlgorithm

Specifies the authentication algorithm that is used for authenticating IKE key exchange messages.

Possible values for IKEv1 tunnels are:

HMAC-MD5
HMAC-SHA1
HMAC-SHA2-256-128
HMAC-SHA2-384-192
HMAC-SHA2-512-256

Possible values for IKEv2 tunnels are:

AES128-XCBC-96
HMAC-MD5-96
HMAC-SHA1-96
HMAC-SHA2-256-128
HMAC-SHA2-384-192
HMAC-SHA2-512-256

EncryptionAlgorithm

Specifies the encryption algorithm that is used for protecting IKE key exchange messages. Possible values are:

AES-CBC
DES-CBC
3DES-CBC

KeyLength: The length, in bits, of the key used by the encryption algorithm. The length is specified as n/a for algorithms with a fixed key length.

PseudoRandomFunction

Specifies the pseudo-random function that is used for generating keying material. For IKEv1, the PseudoRandomFunction value is always the same value as the AuthenticationAlgorithm value. For IKEv2, the pseudo-random function is negotiated separately and might differ from the authentication algorithm. Possible values are:

AES128-XCBC
HMAC-MD5
HMAC-SHA1
HMAC-SHA2-256
HMAC-SHA2-384
HMAC-SHA2-512

DiffieHellmanGroup: Indicates the Diffie-Hellman group that is used during key exchange. If no Diffie-Hellman group is used, the value is 0.

LocalAuthenticationMethod

Indicates the method that the remote peer is using to authenticate the local endpoint. Possible values are

PresharedKey
RsaSignature
ECDSA-256
ECDSA-384
ECDSA-521
DigitalSignature

For IKEv1 tunnels, the authentication method is negotiated and it is always the same as the remote authentication method.

For IKEv2 tunnels, the authentication method is established by local policy and might differ from the remote authentication method.

RemoteAuthenticationMethod

Indicates the method that the local system is using to authenticate the remote endpoint. Possible values are:

PresharedKey
RsaSignature
ECDSA-256
ECDSA-384
ECDSA-521
Unknown - For IKEv2 tunnels only, the value Unknown is possible if the IKEv2 tunnel has not completed its initial exchanges.

For IKEv1 tunnels, the authentication method is negotiated and is always the same as the local authentication method.

For IKEv2 tunnels, the authentication method is established by policy on the remote peer and might differ from the local authentication method.

InitiatorCookie: During the phase 1 negotiation, the initiator created a cookie to identify itself during the exchange. This is the value of that cookie.

ResponderCookie: During the phase 1 negotiation, the responder created a cookie to identify itself during the exchange. This is the value of that cookie.

Lifesize: The number of kilobytes that can pass on the IKE tunnel before the tunnel must be refreshed. If the value is 0, then the refresh Lifesize value was None and byte counts are not used to monitor for tunnel refresh.

CurrentByteCount: The number of bytes that have been protected by the tunnel.

Lifetime: The number of minutes between each refresh.

LifetimeRefresh: The time at which the tunnel must be refreshed.

LifetimeExpires: The time at which the tunnel expires.
ReauthInterval: The number of minutes between each reauthentication.
ReauthTime: The time at which the tunnel must be reauthenticated.

Role: Indicates whether this endpoint was the initiator or responder on the IKE tunnel negotiation.

AssociatedDynamicTunnels: A count of how many dynamic tunnels depend on this IKE tunnel for their maintenance.

NATTSupportLevel

The level of NAT traversal support agreed to during the phase 1 SA negotiation. The followling list shows the possible values:

D2RFC: Draft 2 of RFC 3947.

D3RFC: Draft 3 of RFC 3947.

RFC: RFC 3947, with a non-z/OS remote security endpoint.

RFC_zOS: RFC 3947, with a z/OS® remote security endpoint.

IKEv2: RFC 5996, with a non-z/OS remote security endpoint.

IKEv2_zOS: RFC 5996, with a z/OS remote security endpoint.

n/a: NAT traversal is not supported for phase 1 SAs that use IPv6 addresses. This field has the value n/a.

None: No NAT Traversal support.

NATInFrntLclScEndPnt: Indicates whether or not a NAT has been detected in front of the local security endpoint. NAT traversal is not supported for phase 1 SAs using IPv6 addresses. In this case, the field has the value n/a.

NATInFrntRmtScEndPnt: Indicates whether or not a NAT has been detected in front of the remote security endpoint. NAT traversal is not supported for phase 1 SAs using IPv6 addresses. In this case, the field has the value n/a.

zOSCanInitP1SA: Indicates whether z/OS can initiate the initial phase 1 SA negotiation. NAT traversal is not supported for phase 1 SAs that use IPv6 addresses. In this case, the field has the value n/a.

AllowNat: Indicates whether NAT traversal support is enabled. This field indicates the configured setting of the AllowNat keyword. NAT traversal is not supported for phase 1 SAs that use IPv6 addresses. In this case, the field has the value n/a.

RmtNAPTDetected: Indicates whether or not a NAT in front of the remote security endpoint has been detected performing port address translation. The value Yes indicates that port address translation by a NAT in front of the remote security endpoint NAT has been detected; the value No indicates that it has not been detected. NAT traversal is not supported for phase 1 SAs that use IPv6 addresses. In this case, the field has the value n/a.

RmtUdpEncapPort: The UDP-encapsulated port number used by the remote security endpoint. This field is valid only for NAT-traversal tunnels. Otherwise, this field has the value n/a.