Overview of diagnosing IP security and defensive filter problems
IPSec configuration files are input to the Policy Agent to establish a TCP/IP stack IP filter policy, Key Exchange policy, and LocalDynVpn policy. These configuration files consist of a number of configuration statements and parameters documented in z/OS Communications Server: IP Configuration Reference and can be configured manually into a flat file. Optionally, IBM® provides an IBM Configuration Assistant for z/OS® Communications Server, which provides wizards and a set of reusable objects (at a different level of abstraction than if configured manually). The IBM Configuration Assistant for z/OS Communications Server ultimately produces the Policy Agent configuration files on your behalf.
When diagnosing problems, it might be helpful to understand the relationship of the GUI level objects to the configuration file objects. Table 1 provides a brief mapping of these objects.
| Policy Agent Object | IBM Configuration Assistant for z/OS Communications Server Object |
|---|---|
| IpDataOffer | Configured in security levels implementing dynamic tunnels |
| IpDynVpnAction | Security level implementing dynamic tunnels
A numeric suffix is appended to the Security Level name to guarantee uniqueness. |
| IpFilterRule | Connectivity rule A numeric suffix is appended to the connectivity rule name to guarantee uniqueness. |
| IpManVpnAction | Security level implementing manual tunnels A numeric suffix is appended to the security level name to guarantee uniqueness. |
| IpService | Configured in traffic descriptors A numeric suffix is appended to the traffic descriptor name to guarantee uniqueness. |
| IpTimeCondition | Defined within either Connectivity Rules or Security Levels implementing Manual Tunnels |
| KeyExchangeAction | Configured in connectivity rules A numeric suffix is appended to the connectivity rule name to guarantee uniqueness. |
| KeyExchangeRule | Configured in Connectivity Rules A numeric suffix is appended to the Connectivity Rule name to guarantee uniqueness. |
| LocalDynVpnRule | Configured in connectivity rules Names are user specified. |
The Policy Agent installs IP security policy into the stack and the IKE daemon. Specifically, IP filter policy is installed in the stack and Key Exchange policy and LocalDynVpn policy are installed in the IKE daemon. The stack enforces IP filter policy after it has been successfully installed. The IKE daemon enforces Key Exchange policy and LocalDynVpn policy after they have been successfully installed. The Traffic Regulation Management daemon (TRMD) reports IP security events to syslogd on behalf of the stack.
Defensive filters:
Defensive filters are deny filters that can be added through the ipsec command, typically by an external security information and event manager that detects an attack. Defensive filters can only be installed in a TCP/IP stack that has IP security enabled. Defensive filters are given higher priority than IP security filters. That is, IP filter processing will first check a packet against any installed defensive filters for a match, before checking the IP security filters.
- IP security policy installation
- IP security and defensive filter output to syslogd
- IP security operation
- Adding and managing defensive filters