- TunnelID
- The ID that uniquely defines the IKE tunnel. In this example,
TunnelID has the value K (for IKE) followed by an
arbitrary positive integer that was assigned by the system when the
tunnel was defined. This is the name to use when specifying an ipsec command
selection criteria using the -a option.
- Generation
- This number is used to differentiate SAs for the same tunnel.
The first SA that is created for a given tunnel is number 1.
- IKEVersion
- Specifies the IKE major and minor version that is used to negotiate
the tunnel. Possible values are:
- 1.x
- IKE version 1
- 2.x
- IKE version 2
- KeyExchangeRuleName
- The name of the KeyExchangeRule statement that was used to define
and control the characteristics of the IKE tunnel. The KeyExchangeRuleName
value is established at the time the IKE tunnel is established.
- KeyExchangeActionName
- The name of the KeyExchangeAction statement that was used to initiate
the IKE tunnel. The KeyExchangeActionName value is established at
the time the IKE tunnel is established.
- LocalEndpoint
- The local security endpoint address of the IKE tunnel.
- LocalIDType
- Specifies the type of the local identity. Possible values are:
- ID_IPV4_ADDR
- An IPv4 address.
- ID_IPV6_ADDR
- An IPv6 address.
- ID_FQDN
- A fully qualified domain name.
- ID_USER_FQDN
- A user at a fully qualified domain name.
- ID_DER_ASN1_DN
- An X.500 distinguished name.
- ID_KEY_ID
- A vendor-specific value used to perform certain proprietary forms
of identification.
- LocalID
- Specifies the value of the local identity.
Restriction: If the LocalIDType value is ID_KEY_ID,
the LocalID value is truncated to avoid spanning multiple lines on
a typical display device. An ellipsis is appended to this value to
indicate that it was truncated. To display the entire value, use the
wide (-r wide) display format.
- RemoteEndpoint
- The remote security endpoint address of the IKE tunnel.
- RemoteIDType
- Specifies the type of the remote identity. Possible values are:
- ID_IPV4_ADDR
- An IPv4 address.
- ID_IPV6_ADDR
- An IPv6 address.
- ID_FQDN
- A fully qualified domain name.
- ID_USER_FQDN
- A user at a fully qualified domain name.
- ID_DER_ASN1_DN
- An X.500 distinguished name.
- ID_KEY_ID
- A vendor-specific value used to perform certain proprietary forms
of identification.
- RemoteID
- Specifies the value of the remote identity.
Restriction: If the RemoteIDType value is ID_KEY_ID,
then the RemoteID value is truncated to avoid spanning multiple lines
on a typical display device. An ellipsis is appended to this value
to indicate that it was truncated. To display the entire value, use
the wide (-r wide) display format.
- ExchangeMode
- The exchange mode used to negotiate the IKE tunnel. Possible
values for an IKEv1 tunnel are Aggressive or Main. This field is supported
for IKEv1 tunnels only and is always set to n/a for
IKEv2 tunnels.
- State
- The state of the tunnel with respect to the negotiation that occurs
during activation.
Possible values for an IKEv1 tunnel are:
- INIT
- Indicates that no key exchange messages have been initiated.
- WAIT SA
- Indicates that the first key exchange message has been sent and
the endpoint is waiting for a response.
- IN KE
- Indicates that a key exchange response has been sent.
- WAIT KE
- Indicates that a key exchange message has been sent and that the
endpoint is waiting for a response.
- DONE
- Indicates that all key exchange messages have been completed and
that the tunnel is available for data traffic.
- EXPIRED
- Indicates that tunnel has exceeded its lifetime and is not available
for data traffic.
Possible values for an IKEv2 tunnel are:
- INIT
- Indicates that no key exchange messages have been initiated.
- WAIT KE
- Indicates that an SA Init request is in progress.
- WAIT AUTH
- Indicates that an SA Auth request is in progress.
- DONE
- Indicates that all key exchange messages have been completed and
that the tunnel is available for data traffic.
- HALF-CLOSED
- Indicates that the tunnel is in the process of closing.
- EXPIRED
- Indicates that tunnel has exceeded its lifetime and is not available
for data traffic.
- AuthenticationAlgorithm
- Specifies the authentication algorithm that is used for authenticating
IKE key exchange messages.
Possible values for IKEv1 tunnels are:
- HMAC-MD5
- HMAC-SHA1
- HMAC-SHA2-256-128
- HMAC-SHA2-384-192
- HMAC-SHA2-512-256
Possible values for IKEv2 tunnels are:
- AES128-XCBC-96
- HMAC-MD5-96
- HMAC-SHA1-96
- HMAC-SHA2-256-128
- HMAC-SHA2-384-192
- HMAC-SHA2-512-256
- EncryptionAlgorithm
- Specifies the encryption algorithm that is used for protecting
IKE key exchange messages. Possible values are:
- KeyLength
- The length, in bits, of the key used by the encryption algorithm.
The length is specified as n/a for algorithms with
a fixed key length.
- PseudoRandomFunction
- Specifies the pseudo-random function that is used for generating
keying material. For IKEv1, the PseudoRandomFunction value is always
the same value as the AuthenticationAlgorithm value. For IKEv2, the
pseudo-random function is negotiated separately and might differ from
the authentication algorithm. Possible values are:
- AES128-XCBC
- HMAC-MD5
- HMAC-SHA1
- HMAC-SHA2-256
- HMAC-SHA2-384
- HMAC-SHA2-512
- DiffieHellmanGroup
- Indicates the Diffie-Hellman group that is used during key exchange.
If no Diffie-Hellman group is used, the value is 0.
- LocalAuthenticationMethod
- Indicates the method that the remote peer is using to authenticate
the local endpoint. Possible values are
- PresharedKey
- RsaSignature
- ECDSA-256
- ECDSA-384
- ECDSA-521
- DigitalSignature
For IKEv1 tunnels, the authentication method is negotiated
and it is always the same as the remote authentication method.
For
IKEv2 tunnels, the authentication method is established by local policy
and might differ from the remote authentication method.
- RemoteAuthenticationMethod
- Indicates the method that the local system is using to authenticate
the remote endpoint. Possible values are:
- PresharedKey
- RsaSignature
- ECDSA-256
- ECDSA-384
- ECDSA-521
- Unknown - For IKEv2 tunnels only, the value Unknown is possible
if the IKEv2 tunnel has not completed its initial exchanges.
For IKEv1 tunnels, the authentication method is negotiated
and is always the same as the local authentication method.
For
IKEv2 tunnels, the authentication method is established by policy
on the remote peer and might differ from the local authentication
method.
- InitiatorCookie
- During the phase 1 negotiation, the initiator created a cookie
to identify itself during the exchange. This is the value of that
cookie.
- ResponderCookie
- During the phase 1 negotiation, the responder created a cookie
to identify itself during the exchange. This is the value of that
cookie.
- Lifesize
- The number of kilobytes that can pass on the IKE tunnel before
the tunnel must be refreshed. If the value is 0, then the refresh
Lifesize value was None and byte counts are not used
to monitor for tunnel refresh.
- CurrentByteCount
- The number of bytes that have been protected by the tunnel.
- Lifetime
- The number of minutes between each refresh.
- LifetimeRefresh
- The time at which the tunnel must be refreshed.
- LifetimeExpires
- The time at which the tunnel expires.
- ReauthInterval
- The number of minutes between each reauthentication.
- ReauthTime
- The time at which the tunnel must be reauthenticated.
- Role
- Indicates whether this endpoint was the initiator or responder
on the IKE tunnel negotiation.
- AssociatedDynamicTunnels
- A count of how many dynamic tunnels depend on this IKE tunnel
for their maintenance.
- NATTSupportLevel
- The level of NAT traversal support agreed to during the phase
1 SA negotiation. The followling list shows the possible values:
- D2RFC
- Draft 2 of RFC 3947.
- D3RFC
- Draft 3 of RFC 3947.
- RFC
- RFC 3947, with a non-z/OS remote security endpoint.
- RFC_zOS
- RFC 3947, with a z/OS® remote
security endpoint.
- IKEv2
- RFC 5996, with a non-z/OS remote security endpoint.
- IKEv2_zOS
- RFC 5996, with a z/OS remote
security endpoint.
- n/a
- NAT traversal is not supported for phase 1 SAs that use IPv6 addresses.
This field has the value n/a.
- None
- No NAT Traversal support.
- NATInFrntLclScEndPnt
- Indicates whether or not a NAT has been detected in front of the
local security endpoint. NAT traversal is not supported for phase
1 SAs using IPv6 addresses. In this case, the field has the value n/a.
- NATInFrntRmtScEndPnt
- Indicates whether or not a NAT has been detected in front of the
remote security endpoint. NAT traversal is not supported for phase
1 SAs using IPv6 addresses. In this case, the field has the value n/a.
- zOSCanInitP1SA
- Indicates whether z/OS can
initiate the initial phase 1 SA negotiation. NAT traversal is not
supported for phase 1 SAs that use IPv6 addresses. In this case, the
field has the value n/a.
- AllowNat
- Indicates whether NAT traversal support is enabled. This field
indicates the configured setting of the AllowNat keyword. NAT traversal
is not supported for phase 1 SAs that use IPv6 addresses. In this
case, the field has the value n/a.
- RmtNAPTDetected
- Indicates whether or not a NAT in front of the remote security
endpoint has been detected performing port address translation. The
value Yes indicates that port address translation
by a NAT in front of the remote security endpoint NAT has been detected;
the value No indicates that it has not been detected.
NAT traversal is not supported for phase 1 SAs that use IPv6 addresses.
In this case, the field has the value n/a.
- RmtUdpEncapPort
- The UDP-encapsulated port number used by the remote security endpoint.
This field is valid only for NAT-traversal tunnels. Otherwise, this
field has the value n/a.