Responder
When z/OS® IKED
is acting as responder:
- Upon receipt of the IKE_SA_INIT request message, the IKE daemon uses the IP addresses of the initiator and responder to find the first applicable KeyExchangeRule that encapsulates these addresses. If a rule is found, it is considered to be tentative until the identity of the initiator becomes known. All KeyExchangePolicy settings applicable to the IKE_SA_INIT and IKE_AUTH exchanges are determined from this tentative rule, including SA proposal attributes, pre-shared key, and certificate authority (CA) labels.
- Upon receipt of the IKE_AUTH request message, which includes the
initiator's identity (IDi):
- If the request message also contains the optional requested responder
identity (IDr), the IKE daemon uses the IP addresses of the initiator
and responder, plus both the initiator and responder identities contained
in the request message, to find an applicable KeyExchangeRule. At
this point:
- If a KeyExchangeRule is not found, the negotiation continues to step B below.
- If a KeyExchangeRule is found, and the SA is using pre-shared key identity protection in either direction, and the KeyExchangeRule's pre-shared key does not match the pre-shared key of the tentative KeyExchangeRule, the negotiation continues to step B below.
- If a KeyExchangeRule is found, but it does not include an SA proposal that is consistent with the proposal accepted in the IKE_SA_INIT exchange, the negotiation continues to step B below.
- Otherwise, the new KeyExchangeRule is considered final, and the negotiation proceeds. This KeyExchangeRule may contain a local security endpoint identity that is different from the tentative KeyExchangeRule.
- If the request message does not contain the optional requested
responder identity (IDr), or if it does but step A above fails, the
IKE daemon uses the IP addresses of the initiator and responder, plus
the identity of the initiator, to find an applicable KeyExchangeRule.
At this point:
- If a KeyExchangeRule is not found, the negotiation fails.
- If a KeyExchangeRule is found, and the SA is using pre-shared key identity protection in either direction, and the KeyExchangeRule's pre-shared key does not match the pre-shared key of the tentative KeyExchangeRule, the negotiation fails.
- If a KeyExchangeRule is found, but it does not include an SA proposal that is consistent with the proposal accepted in the IKE_SA_INIT exchange, the negotiation fails.
- Otherwise, the new KeyExchangeRule is considered final, and the negotiation proceeds. This KeyExchangeRule may contain a local security endpoint identity that is different from the tentative KeyExchangeRule.
- If the request message also contains the optional requested responder
identity (IDr), the IKE daemon uses the IP addresses of the initiator
and responder, plus both the initiator and responder identities contained
in the request message, to find an applicable KeyExchangeRule. At
this point: